tag:blogger.com,1999:blog-68143407672120591732018-03-10T17:06:17.887+05:30Anish Shaikh's TechFactorInformation Security BlogAnoreply@blogger.comBlogger388125tag:blogger.com,1999:blog-6814340767212059173.post-37488149748218750882012-09-05T22:10:00.001+05:302012-09-05T22:10:46.726+05:30How To Handle A Data Breach: 5 smb tips<div><p>How will your company respond if an incident does happen? Spiezle offered the following advice on developing a strong plan for acting in the wake of a data breach.<br>1. What Data Do You Have? The first step is to fully understand the kinds of customer information your company is handling and storing--and why. It might sound obvious, but according to Spiezle, breaches often expose how little an organization knows about its data. "I've gone through a lot of breach responses with companies where people are literally sitting around a table saying 'I had no idea we were doing that,'" Spiezle said. That can exponentially complicate matters when a data-loss event occurs--you can't very well determine the consequences and communicate them appropriately if you don't know what was at stake in the first place. Assess the kinds of data you have, who has access to it, and why.<br>The general rule of thumb: Limit access to those who need it for legitimate business reasons. Put a particularly high burden of proof on the case for storing sensitive customer information on laptops, external drives, mobile devices, and other hardware that can be easily lost or stolen.<br>2. What Are Your Regulatory Requirements? Spiezle is quick to note that this is one of the toughest data-breach challenges for SMBs that lack a compliance officer--much less an entire compliance staff--or that rely on IT generalists rather than information security specialists. But your regulatory requirements will dictate what you must do in data-breach scenarios. These are defined by the likes of HIPAA or PCI, but Spiezle noted that 46 states also now have some form of reporting requirements.<br>Alas, while there are vendors that can help, there's no central online destination for companies to assess all of their compliance requirements. Spiezle thinks federal legislation could help. "It is a very complex issue, and [it] again underscores the importance of pre-planning," he said.<br>Bonus advice: Be proactive. If you do seek help from a vendor, Spiezle pointed out that it's much better to do this when you don't already have a problem--it's tough to get the best terms if you're negotiating at 3 a.m. on a Saturday after a breach has already occurred.<br>3. Who Will You Notify? Knowing who you'll need to communicate with can help lead to faster, more effective responses to data-loss events. Identify those groups before something goes wrong. "This might be partners, customers, [or] government agencies," Spiezle said. He noted that some companies develop relationships with appropriate law enforcement agencies in advance so that they know the proper people to contact in the event of a data breach. Consider it the business equivalent of keeping a list of emergency contact numbers near your home phone.<br>4. When Will You Notify Them? This is a tricky and much-debated area: How soon should you notify affected customers and other stakeholders? Spiezle said it's a case-by-case decision. With law enforcement or other government agencies, it's usually an ASAP scenario. Customers and partners are a tougher call. On the one hand, Spiezle said, you don't want them to find out from the media or other external sources. On the other hand, you don't want to make things worse by communicating inaccurate information, which can happen if you act too quickly. Some of this decision may be guided the regulatory requirements your company operates under, too. Rule of thumb: Communicate as quickly as possible without sacrificing the clarity and accuracy of the information you provide.<br>5. What Will You Say? One way to cut down your response time and outreach efforts: Prepare your customer and other external communications in advance. This gets back to the importance of Tip 1--it's tough to accurately message a breach if you don't know what data you had in the first place. If you've got a complete understanding of your information and how you handle it, you can develop solid communications templates in advance.</p></div>Anoreply@blogger.com0http://www.anishshaikh.com/2012/09/how-to-handle-data-breach-5-smb-tips.htmltag:blogger.com,1999:blog-6814340767212059173.post-83463747011384202192012-07-03T12:21:00.000+05:302012-07-03T12:21:05.721+05:30WhiteHat Security Statics Report 2012<div dir="ltr" style="text-align: left;" trbidi="on"><br /><b></b><br /><b><br /></b><br /><b>WhiteHat’s 12th Website Security Statistics Report represents far and away the largest amount of data we’ve ever&nbsp;<b style="background-color: white;"></b></b><br /><div style="display: inline !important;"><b><b style="background-color: white;">analyzed — hundreds of terabytes worth. Just in terms of the total number of websites, it’s over twice the number since&nbsp;</b></b></div><b><b style="background-color: white;"><div style="display: inline !important;">our last report. It’s easily the most complete and longest running study focused on the state of website security.&nbsp;</div></b><br />Within this report we are very excited by the introduction of two new industries, Energy and Non-Profit. Historically,&nbsp;<b style="background-color: white;"></b><br /><div style="display: inline !important;"><b style="background-color: white;">WhiteHat has reported vulnerability metrics generalized across industries. This increased website diversity increases our&nbsp;</b></div><b style="background-color: white;"><div style="display: inline !important;">ability to share lessons learned.</div></b></b><br /><b><br /></b><br /><b>KEY FINDINGS IN 2011</b><br /><br />1. The average number of serious* vulnerabilities found per website per year was 79, a<br />significant reduction from 230 in 2010 and down from 1,111 in 2007.<br /><br />2. Cross-Site Scripting reclaimed its title as the most prevalent website vulnerability, <span style="background-color: white;">identified in 55% of websites.</span><br /><br />3. Web Application Firewalls could have helped mitigate the risk of at least 71% of all&nbsp;<span style="background-color: white;">custom Web application vulnerabilities identified.</span><br /><br /><br />4.There was notable improvement across all verticals, but Banking websites possessed the fewest amount of security&nbsp;<span style="background-color: white;">issues of any industry with an average of 17 serious* vulnerabilities identified per website.</span><br /><br />5. Serious* vulnerabilities were fixed in an average of 38 days or faster, a vast improvement over the 116 days it took&nbsp;<span style="background-color: white;">during 2010.</span><br /><br />6. The overall percentage of serious* vulnerabilities that were fixed was 63%, up from 53% in 2010, and a marked&nbsp;<span style="background-color: white;">improvement from 2007 when it was just 35%. A rough 7% average improvement per year over each of the last four&nbsp;</span><span style="background-color: white;">years.</span><br /><br />7. The higher severity that a vulnerability has, the higher the likelihood that the vulnerability will reopen. Urgent: 23%,&nbsp;<span style="background-color: white;">Critical: 22%, High: 15%.</span><br /><br />8. The average number of days a website was exposed to at least one serious* vulnerability improved slightly to 231&nbsp;<span style="background-color: white;">days in 2011, from 233 days in 2010. Find full <a href="https://www.whitehatsec.com/assets/WPstats_summer12_12th.pdf" target="_blank">report he</a>re</span><br /><span style="background-color: white;"><br /></span><br /><span style="background-color: white;"><br /></span><br /><br /><br /><br /></div>Anoreply@blogger.com0http://www.anishshaikh.com/2012/07/whitehat-security-statics-report-2012.htmltag:blogger.com,1999:blog-6814340767212059173.post-69683235034268616892012-06-30T15:30:00.000+05:302012-06-30T15:30:09.962+05:30How to Improve your network security<div dir="ltr" style="text-align: left;" trbidi="on"><br />When it comes to investing in network security, there are three types of IT philosophies.<br /><br />"There are the ones that value technology and see it as a strategic advantage in their environment, and they'll invest heavily in it. There are the ones that know they need it and they're willing to invest where they need to," says Rick Norberg, president of Atrion Networking SMB, an IT service provider. "And then there are the ones that just see it as the cost of doing business. And those are the ones that tend to be unprotected, unmanaged and dedicate inadequate staff resources in order to plan through security."<br /><br />Don't get pegged in that third group, Norberg warns. According to Norberg and several other IT experts, there are a number of ways to revamp your thinking and your network design for better IT functionality and improved security. Here's where they say to start.<br /><br /><b>Build Backward from Mandates</b><br /><br />According to Norberg, before designing your network it's important to take a step back and think about a couple of critical variables, including:<br /><br />What vertical you operate in;<br />What compliance mandates you answer to;<br />Where you want technology to take the company in the next three years.<br />Then design back from there, he suggests. When taken into consideration early in the design process, these elements should have significant bearing on the choices you make in infrastructure and deployment options.<br /><br />"Sometimes, people will just buy cheap switches, network gear, firewalls and things like that because they're inexpensive. And they throw them in," says Norberg. "Then when they have a breach, they realize they just paid a zillion dollars to the government or to a credit card company or something like that in order to remediate it. And then they have to go buy the more expensive gear anyway. Taking an 'it can't happen to me' approach is probably not the best way to design a system."<br /><br /><b>Know Where Data Sits</b><br /><br />One of the biggest weaknesses of many organizations is the lack of visibility into where exactly important data sits on the network.<br /><br />Scott Laliberte, managing director at global business consulting and auditing firm Protiviti, says, "Among the things that clients we are working with are spending more time on is not only data leakage prevention--making sure it doesn't go out on the front end--but also what I call 'data discovery,' which is being more confident and clear on where the data for sensitive information really does reside and then organizing it in such a way that you can manage it in a segmented way."<br /><br />According to a Protiviti survey earlier this year, organizations still struggle with data discovery and classification--just 50% of respondents said they have a specific plan in place to categorize data. And according to Laliberte, when he engages with clients to do data discovery on their network for the first time, surprises are common.<br /><br />"In almost every instance there is a surprise found by the client as to where some of the sensitive data is," he says.<br /><br />Next: The Importance of Modularity, Firewalls and Patches<br /><br /><b>Modularity Is the Name of the Game</b><br /><br />The more modular you can design a network, the easier it is to control and monitor traffic, according to Norberg.<br /><br />"You want a network that you're able to functionally monitor and secure, so you're controlling the traffic on the network. You want one that can grow with the users," he says. "A lot of times, you start with a flat network and then you start to modularize the phone traffic, the PC traffic and, if they're in a retail environment, some of the POS terminals to make sure they're secure and separated from each other. And then you want to get more granular from there."<br /><br />When done efficiently, network segmentation and modularity give a lot more flexibility in prioritizing risky segments of the network so you can focus your monitoring and security efforts on the most critical areas rather than having to worry about all of the infrastructure in aggregate. That's a step up from what most organizations are used to, says Norberg.<br /><br />"Traditionally, you might just slap a firewall into there and when it goes down, the customer calls you," he says. "These days, we're actually looking at the logs and doing proactive monitoring on the devices to make sure that they're not only secured and updated with the latest firmware, but you're also looking at what's happening with the firewall and the connection itself."<br /><br /><b>Manage Firewalls More Intelligently</b><br /><br />Speaking of firewalls, organizations have to take an active management approach to their firewall rules if they're going to get the most out of these assets. With most enterprises today depending on thousands of firewalls dispersed throughout their network fabric, firewall management has become an important element both for efficient IT operations and effective IT security.<br /><br />"The core of network complexity begins with a firewall," says Kevin Beaver, founder and principal information security consultant at Principle Logic.<br /><br />Beaver says that, all too often, he sees organizations that believe that their security is OK. However, once he starts digging into their firewall rule sets and configurations, security holes are discovered.<br /><br />"[We find] system configuration problems, weak passwords, network segments that shouldn't be talking to one another, ports that are open," he says. "I often see database servers that are sitting out on the public Internet wide open for attack."<br /><br /><b>Patch</b><br /><br />Patch management isn't just for endpoints. Smart organizations need to have utilities in place that can automate system patching across all IT infrastructure.<br /><br />"If I'm the IT director for the company, I want to make sure I'm using every tool capable of doing updating firmware and software on an immediate basis and alerting and reporting on it," says Norberg. "Generally, you want to buy a third-party product that's capable of doing more than just one particular manufacturer. Otherwise, you run into problems where you've got some of this gear, some of that gear, some of these servers, and then you end up spending a lot of your time not being very efficient in the way you're patching things."<br />&nbsp;so<a href="http://www.networkcomputing.com/data-networking-management/240002711?printer_friendly=this-page" target="_blank">urce</a><br /><br /></div>Anoreply@blogger.com0http://www.anishshaikh.com/2012/06/how-to-improve-your-network-security.htmltag:blogger.com,1999:blog-6814340767212059173.post-52458441361168397812012-06-04T22:31:00.001+05:302012-06-04T22:31:02.536+05:30Apple guide to iOS Security<div dir="ltr" style="text-align: left;" trbidi="on"><br /><div style="background-color: white; font-family: arial, sans-serif; font-size: 13px; text-align: -webkit-auto;">Apple has introduced a guide to iOS security, which was&nbsp;<a href="http://images.apple.com/ipad/business/docs/iOS_Security_May12.pdf" style="color: #1155cc;" target="_blank">posted</a>&nbsp;to Apple.com sometime in late May, but is just now being noticed outside the Apple developer community. The publication is notable because it’s the first time Apple has published a comprehensive guide intended for an I.T. audience. (Apple’s developer-friendly documentation on security matters is<a href="https://developer.apple.com/search/index.php?q=ios+security" style="color: #1155cc;" target="_blank">easy to spot</a>, however).</div><div style="background-color: white; font-family: arial, sans-serif; font-size: 13px; text-align: -webkit-auto;">The new guide includes four sections dedicated to topics like system architecture, encryption and data protection, network security, and device access.</div><div style="background-color: white; font-family: arial, sans-serif; font-size: 13px; text-align: -webkit-auto;">In reading the introduction, it’s clear that the guide’s intention is to better help corporate I.T. understand the security environment with iOS devices, including iPhones, iPod Touches, and iPads. It’s important that these details are documented in language I.T. understands as more and more businesses allow personal devices on their network and implement their own BYOD (bring your own device) programs.</div><div style="background-color: white; font-family: arial, sans-serif; font-size: 13px; text-align: -webkit-auto;">To this point, the report begins:</div><blockquote style="background-color: white; font-family: arial, sans-serif; font-size: 13px; text-align: -webkit-auto;">“Apple designed the iOS platform with security at its core. Keeping information secure on mobile devices is critical for any user, whether they’re accessing corporate or customer information or storing personal photos, banking information, and addresses….<br />For organizations considering the security of iOS devices, it is helpful to understand how the built-in security features work together to provide a secure mobile computing platform.”</blockquote><div style="background-color: white; font-family: arial, sans-serif; font-size: 13px; text-align: -webkit-auto;">While some may imagine the guide to be an example of Apple’s increasing openness (on matters not related to new products, that is…), much of the information contained in the guide is not new at this point in time. It has simply been repackaged for a different audience.</div><div style="background-color: white; font-family: arial, sans-serif; font-size: 13px; text-align: -webkit-auto;">However, detailed in the guide are things like how the code-signing process works and ASLR (address space layout randomization) works in iOS, which had previously been outed by security researchers prior to Apple’s reveal.</div><div style="background-color: white; font-family: arial, sans-serif; font-size: 13px; text-align: -webkit-auto;">Another I.T.-friendly tidbit includes a list of items which administrators can restrict using configuration profiles within their Mobile Device Management solution. For example, Siri (<a href="http://www.techmeme.com/120523/p12" style="color: #1155cc;" target="_blank">as IBM recently did</a>), plus FaceTime, the camera, screen capture, app installs, in-app purchases, Game Center, YouTube, pop-ups, cookies and more. Users may have more freedom of choice in terms of devices they use for work than in years past, but corporate I.T. is now adapting so it can deliver the same level of protection it once did it the BES/BlackBerry era…or, as an end user might tell you – the same level of lockdown. (What, no YouTube at work? No fair.)</div></div>Anoreply@blogger.com0http://www.anishshaikh.com/2012/06/apple-guide-to-ios-security.htmltag:blogger.com,1999:blog-6814340767212059173.post-2301833360927874902012-06-04T21:28:00.001+05:302012-06-04T21:28:19.565+05:30Security for Small Business -in Points<div dir="ltr" style="text-align: left;" trbidi="on"><br /><div style="background-color: white; font-family: arial, helvetica, sans-serif; font-size: 13px; line-height: 17px; padding: 14px 0px 0px;"><strong style="font-style: inherit;">1) No security plan is foolproof.</strong>&nbsp;Comforting, isn't it? But it's true--there is no such thing as 100% secure, and I've yet to an encounter a security pro that would argue otherwise. (Some governments in the Middle East would likely agree now, too.) That's not an excuse to do nothing. When online crooks target SMBs, either via targeted attacks or indiscriminate malware, they usually do so for two reasons: SMBs have more money than the average individual, and they have less security in place than large enterprises. That can make them easy, profitable targets. The SMB's job: don't be an easy mark. Practice&nbsp;<a href="http://www.informationweek.com/news/smb/security/231002051" style="color: #003bb0; outline: none;">good basic security</a>&nbsp;at bare minimum. If time and&nbsp;<a href="http://www.informationweek.com/news/smb/security/240001331" style="color: #003bb0; outline: none;">money</a>&nbsp;are key challenges, consider a&nbsp;<a href="http://www.informationweek.com/news/smb/security/232400175" style="color: #003bb0; outline: none;">risk-management approach</a>--more on that below in number five.</div><div style="background-color: white; font-family: arial, helvetica, sans-serif; font-size: 13px; line-height: 17px; padding: 14px 0px 0px;"><strong style="font-style: inherit;">2) You might not know it if you're infected.</strong>&nbsp;Flame's just now&nbsp;<a href="http://www.informationweek.com/news/security/attacks/240001094" style="color: #003bb0; outline: none;">coming to light</a>, but it has existed since 2010--and possibly as far back as 2007. Even if you've got strong security controls in place, you might not necessarily know if you've been infected by malware or other means. "Most malware is written to be very stealth and not let you know that it's on the machine, so what Flame does is very typical," Haley said. Robust, current security technology is a good first step toward minimizing the chance of undetected breaches--the straightforward anti-virus programs of yore aren't likely to cut it. Haley also advises SMBs take steps to eliminate spam in their corporate email accounts; the bane of inboxes continues to be a favorite delivery method for malware makers. Expect social media to continue to grow as a malware vector, too. Haley thinks SMBs need to be thinking about social risk and actively monitoring their accounts for unusual activity.</div><div style="background-color: white; font-family: arial, helvetica, sans-serif; font-size: 13px; line-height: 17px; padding: 14px 0px 0px;"><strong style="font-style: inherit;">3) Attacks are increasingly sophisticated.</strong>&nbsp;The&nbsp;<a href="http://www.darkreading.com/advanced-threats/167901091/security/attacks-breaches/240001129/flame-fans-notion-of-more-weapons-yet-to-be-found.html" style="color: #003bb0; outline: none;">complexity</a>&nbsp;of today's security threats almost make you long for the good old days of the&nbsp;<a href="http://www.pandasecurity.com/homeusers/security-info/1894/Wazzu" style="color: #003bb0; outline: none;">Wazzu virus</a>. Flame appears to have reset the bar. For SMBs, it's a reminder that a set-it-and-forget security plan is a recipe for failure. What worked in 2010 probably won't pass muster in 2012. "You really need to review everything [periodically]," Haley said. That's important even if you outsource security to a consultant or other vendor. If time is an issue, an annual review is better than none at all. Depending on how much a particular company invests in security--or doesn't--it might want to consider more frequent checks on its technologies and processes to ensure it's keeping up with the times.</div><div style="background-color: white; font-family: arial, helvetica, sans-serif; font-size: 13px; line-height: 17px; padding: 14px 0px 0px;"><strong style="font-style: inherit;">4) Reputation harm can be expensive.</strong>&nbsp;The fallout from the Flame revelation is just getting started, but it's safe to say this is a public embarrassment for the affected governments. For SMBs, it's a reminder that security breaches don't necessarily need to hit your bank account to be costly. A website that gets co-opted into a malware host, for example--they're at an all-time high, according Symantec's most recent annual security report--could have a difficult time earning back the trust of its customers and other visitors. Likewise, data theft can be both embarrassing and expensive.</div><div style="background-color: white; font-family: arial, helvetica, sans-serif; font-size: 13px; line-height: 17px; padding: 14px 0px 0px;">"It's bad enough if you get your money or your customer list or some sort of intellectual property stolen," Haley said. "But also the damage of the publicity from it could be really crippling to a business. Some people may be reluctant to do business with you if they think that you can't keep your information secure."</div><div style="background-color: white; font-family: arial, helvetica, sans-serif; font-size: 13px; line-height: 17px; padding: 14px 0px 0px;"><strong style="font-style: inherit;">5) Prioritize your most important assets.</strong>&nbsp;A sound strategy for some SMBs is simply to not try to protect everything. Rather, identify your most valuable assets--banking credentials and other financial information, customer databases, and intellectual property, to name a few examples--and focus your efforts there. That can help resource-strapped organizations minimize their vulnerabilities in a practical manner rather than waving a white flag of surrender.</div></div>Anoreply@blogger.com0http://www.anishshaikh.com/2012/06/security-for-small-business-in-points.htmltag:blogger.com,1999:blog-6814340767212059173.post-85232312909915539662012-05-31T16:48:00.004+05:302012-05-31T16:48:55.154+05:30Security in the Cloud<div dir="ltr" style="text-align: left;" trbidi="on"><span style="font-family: inherit;"><br /></span><br /><div class="MsoNormal" style="background-color: white; border: 0px; color: #37414b; line-height: 19px; margin-bottom: 15px; padding: 0px; text-align: justify; vertical-align: baseline;"><span style="font-family: inherit;">Security is one of (if not THE) top concern companies and users have with cloud computing. The issue of cloud security, however, is much more complex than simply “is the cloud secure or not”. A cloud-based application can be hosted in a secure environment, with properly encrypted data and everything, and an attacker can still get access to your information through social engineering. On the other hand, you can have the most secure password policies in the world, but if the hosting environment gets hacked, you are still going to lose your data.</span></div><div class="MsoNormal" style="background-color: white; border: 0px; color: #37414b; line-height: 19px; margin-bottom: 15px; padding: 0px; text-align: justify; vertical-align: baseline;"><span style="font-family: inherit;">Any proper solution that tries to address the cloud security issues that exist today must take into account the three sides of the security issue: technology, processes, and responsibility. Another important factor to take into account is that the details and the importance of each one of these, relative to the others, change according to where in the cloud stack we are. Building secure cloud software is very different from security at the cloud platform level, and from secure infrastructure as well.</span></div><h2 style="background-color: white; border: 0px; color: #37414b; line-height: 1.23em; margin: 0px 0px 10px; padding: 0px; text-align: -webkit-auto; vertical-align: baseline;"><span style="font-family: inherit; font-size: small;">Technology</span></h2><div class="MsoNormal" style="background-color: white; border: 0px; color: #37414b; line-height: 19px; margin-bottom: 15px; padding: 0px; text-align: justify; vertical-align: baseline;"><span style="font-family: inherit;">The first step is to employ the proper technology to secure applications and data. “Proper technology” varies widely depending on what layer of the cloud we are talking about. For cloud applications, security can be as simple as deploying proper security certificates and encryption. All sensitive information needs to be properly encrypted, so that even if an attacker gains access to your systems, any data that gets stolen will still need to be decrypted to be gotten at. And it’s not enough to simply encrypt passwords: if you know that people commonly employ their birthdays as passwords, encrypt that as well. As much as possible, technology should protect users from themselves without inconveniencing them.</span></div><div class="MsoNormal" style="background-color: white; border: 0px; color: #37414b; line-height: 19px; margin-bottom: 15px; padding: 0px; text-align: justify; vertical-align: baseline;"><span style="font-family: inherit;">A very interesting solution in this space is&nbsp;<a href="http://www.porticor.com/porticor-virtual-private-data/" style="border: 0px; color: #003399; cursor: pointer; font-style: inherit; margin: 0px; outline: none; padding: 0px; text-decoration: none; vertical-align: baseline;" target="_blank">Porticor’s Virtual Private Data</a>. It’s basically an encryption layer that sits transparently on top of any cloud data store, performing dynamic data encryption/decryption as data gets accessed. I recommend that anyone interested in securing cloud applications take a look at their solution.</span></div><div class="MsoNormal" style="background-color: white; border: 0px; color: #37414b; line-height: 19px; margin-bottom: 15px; padding: 0px; text-align: justify; vertical-align: baseline;"></div><div class="MsoNormal" style="border: 0px; margin-bottom: 15px; padding: 0px; vertical-align: baseline;"><span style="font-family: inherit;">On the lower layers of the cloud stack, security is much the same as it was before the cloud. Cloud platforms need to be secure just as operating systems are secured, avoiding malicious code from taking over other execution sessions or stealing data, and so on. In the infrastructure layer, security is both about maintaining a secure virtualization environment and about physical security. Fortunately, most top-tier cloud infrastructure providers already are very security minded, reducing risks on this side.</span></div><h2 style="border: 0px; line-height: 1.23em; margin: 0px 0px 10px; padding: 0px; text-align: -webkit-auto; vertical-align: baseline;"><span style="font-family: inherit; font-size: small;">Process</span></h2><div class="MsoNormal" style="border: 0px; margin-bottom: 15px; padding: 0px; vertical-align: baseline;"><span style="font-family: inherit;">All the technology in the world can’t save you if an attacker can call your receptionist and get her to install malware on your corporate network using her network administrator password. This is as true for the cloud as it is for private networks, and while something like this probably wouldn’t happen at a large enterprise, there is a surprisingly large number of small- and medium-size businesses where it just might.</span></div><div class="MsoNormal" style="border: 0px; margin-bottom: 15px; padding: 0px; vertical-align: baseline;"><span style="font-family: inherit;">If a company is deploying a Windows cloud server from Rackspace, for instance, it will come with a pretty complex password, automatic updates enabled, firewall-activated, and so on. Many times, though, the first step that people take is to change the password to something easier to remember – usually “password”, or “Pass1234” because a secure password must always include capital letters and numbers – and create an unprotected FTP tunnel to that server, “just to copy a few things”. What started as a reasonably secure server is now a security breach waiting to happen. It’s not enough to have the proper security tools. Companies need to build processes that actually put those tools to use.</span></div><div class="MsoNormal" style="border: 0px; margin-bottom: 15px; padding: 0px; vertical-align: baseline;"><span style="font-family: inherit;">Companies also underestimate the power of having proper information security policies communicated to all employees. When everyone in the company is security conscious, proper security comes much easier. The process side of security doesn’t start with technical processes, but with people, so proper and constant communication is fundamental.</span></div><div class="MsoNormal" style="border: 0px; margin-bottom: 15px; padding: 0px; vertical-align: baseline;"><span style="font-family: inherit; line-height: 1.23em; text-align: -webkit-auto;">Responsibility</span></div><div class="MsoNormal" style="border: 0px; margin-bottom: 15px; padding: 0px; vertical-align: baseline;"></div><div class="MsoNormal" style="border: 0px; margin-bottom: 15px; padding: 0px; vertical-align: baseline;"><span style="font-family: inherit;">So far, the two aspects we explored are pretty standard. While cloud applications need to be much more security conscious than traditional in-house applications, the technology needed to deploy the extra security is pretty standard. The same thing goes for securing cloud servers. The greatest differences between cloud security and traditional security lie in the matter of responsibility.</span></div><div class="MsoNormal" style="border: 0px; margin-bottom: 15px; padding: 0px; vertical-align: baseline;"><span style="font-family: inherit;">When a company deploys traditional software, IT knows its responsibilities. The software is inside the data centers it operates and controls, and anything that happens – data being stolen, servers being hacked, and so on – is their responsibility. Since IT has full control over the environment, they are comfortable with taking on the burdens that come with this control.</span></div><div class="MsoNormal" style="border: 0px; margin-bottom: 15px; padding: 0px; vertical-align: baseline;"><span style="font-family: inherit;">When things are moved to the cloud, however, IT departments lose control over the environment. It is understandable, then, that they are unwilling to take responsibility for problems that might happen. Having clearly separated responsibilities helps: hosting providers need to ensure the security of the underlying platform (virtualization layer, physical security, and so on). The rest would fall to the customers. But it is not enough. Providers need to offer guarantees in case something happens, and understand where internal IT departments are coming from, to improve relations and reduce their concerns.</span></div><div class="MsoNormal" style="border: 0px; margin-bottom: 15px; padding: 0px; vertical-align: baseline;"><span style="font-family: inherit; line-height: 1.23em; text-align: -webkit-auto;">All together</span></div><div class="MsoNormal" style="border: 0px; margin-bottom: 15px; padding: 0px; vertical-align: baseline;"></div><div class="MsoNormal" style="border: 0px; margin-bottom: 15px; padding: 0px; vertical-align: baseline;"><span style="font-family: inherit;">These three perspectives need to be taken into account together, or we run the risk of creating an even more complex environment than what already exists. In some ways, the cloud has the potential to make things more secure, by providing incentives or automating the management of common security tasks that many small businesses forget about. On the other hand, the concentration of data in the hands of a few service providers can make for very attractive targets, increasing the responsibility of these companies. No technology, process, or contract can, alone, remove the security concerns over the cloud; and everyone that has concerns about the cloud should look at the whole security package, and not technology or processes alone.</span></div><span style="font-family: inherit;"><br /></span><br /><span style="font-family: inherit;"><br /></span><br /><br /></div>Anoreply@blogger.com0http://www.anishshaikh.com/2012/05/security-in-cloud.htmltag:blogger.com,1999:blog-6814340767212059173.post-88501727759713596222012-05-31T16:39:00.000+05:302012-05-31T16:39:05.347+05:30What is Flame Malware and What can we do about it?<div dir="ltr" style="text-align: left;" trbidi="on"><br /><div style="text-align: -webkit-auto;">Known by the names Flame, Flamer, and sKyWIper, the malware is significantly more complex then either Stuxnet or Duqu -- and it appears to be targeting the same part of the world, namely the Middle East.</div><div style="text-align: -webkit-auto;">Preliminary reports from various security researchers indicate that Flame likely is a cyberwarfare weapon designed by a nation-state to conduct highly targeted espionage. Using a modular architecture, the malware is capable of performing a wide variety of malicious functions -- including spying on users' keystrokes, documents, and spoken conversations.</div><div style="text-align: -webkit-auto;"><br /></div><div style="text-align: -webkit-auto;">Vikram Thakur, principal research manager at Symantec Security Response, told&nbsp;<em>eSecurity Planet</em>&nbsp;that his firm was tipped off to the existence of Flamer by Hungarian research group CrySys (Laboratory of Cryptography and System Security). As it turned out, Symantec already had the Flamer malware (known to Symantec as W32.Flamer) in their database as it had been detected using a generic anti-virus signature. "Our telemetry tracked it back at least two years," Thakur said. "We're still digging in to see if similar files existed even prior to 2010."</div><div style="text-align: -webkit-auto;"><br /></div><div style="text-align: -webkit-auto;">Dave Marcus, Director of Security Research for McAfee Labs, told&nbsp;<em>eSecurity Planet</em>&nbsp;that Flamer shows the characteristics of a targeted attack.</div><div style="text-align: -webkit-auto;"><br /></div><div style="text-align: -webkit-auto;">"With targeted attacks like Flamer, they are by nature not prevalent and not spreading out in the field," Marcus said. "It's not spreading like spam, it's very targeted, so we've only seen a handful of detections globally."</div><div style="text-align: -webkit-auto;"><br /></div><div style="text-align: -webkit-auto;">While the bulk of all infections are in the Middle East, Marcus noted that he has seen command-and-control activity in other areas of the world. Generally speaking, malware command and control servers are rarely located in the same geographical region where the malware outbreaks are occuring, Marcus noted.</div><div style="text-align: -webkit-auto;">The indications that Flamer may have escaped detection for several years is a cause for concern for many security experts.</div><div style="text-align: -webkit-auto;"><br /></div><div style="text-align: -webkit-auto;">"To me, the idea that this might have been around for some years is the most alarming aspect of the whole thing," Roger Thompson, chief emerging threats researcher at ICSA Labs, told&nbsp;<em>eSecurity Planet</em>. "The worst hack is the one you don't know about. In the fullness of time, it may turn out that this is just a honking great banking Trojan, but it's incredibly dangerous to have any malicious code running around in your system, because it's no longer your system -- it's theirs."</div><div style="text-align: -webkit-auto;"><br /></div><div style="text-align: -webkit-auto;"><strong>Complex and Scalable Code</strong></div><div style="text-align: -webkit-auto;">Although it is still early days in the full analysis of Flamer, one thing is clear -– the codebase is massive.</div><div style="text-align: -webkit-auto;">"Flamer is the largest piece of malware that we've ever analyzed," said Symantec's Thakur. "It could take weeks if not months to actually go through the whole thing."</div><div style="text-align: -webkit-auto;"><br /></div><div style="text-align: -webkit-auto;">McAfee's Marcus noted that most of the malware he encounters is in the 1 MB to 3 MB range, whereas Flamer is 30 MB or more.</div><div style="text-align: -webkit-auto;"><br /></div><div style="text-align: -webkit-auto;">"You're literally talking about an order of complexity that is far greater than anything we have run into in a while," Marcus said.</div><div style="text-align: -webkit-auto;"><br /></div><div style="text-align: -webkit-auto;">Flamer has an architecture that implies the original design intent was to ensure modular scalability, noted Thakur: "They used a lot of different types of encryption and coding techniques and they also have a local database built in."</div><div style="text-align: -webkit-auto;">With its local database, Flamer could potentially store information taken from devices not connected to the Internet.</div><div style="text-align: -webkit-auto;">"If the worm is able to make it onto a device that is not on the Internet, it can store all the data in the database which can then be transferred to a portable device and then moved off to a command and control server at some point in the future," Thakur said.</div><div style="text-align: -webkit-auto;"><br /></div><div style="text-align: -webkit-auto;">Portions of Flamer are written in the open-source Lua programming language, which Thakur notes is interesting in that Lua is very portable and could potentially run on a mobile phone. Flamer also uses SSH for secure communications with its command-and-control infrastructure.</div><div style="text-align: -webkit-auto;">Thakur noted that Symantec's research team is trying to trace Flamer back to its origin, but cautioned that it will be a long analytical process. Symantec researchers will dig through all of their databases in an attempt to find any piece of evidence that may be linked to any of the threats exposed by Flamer.</div><div style="text-align: -webkit-auto;">"It's a very difficult job and it's not an exact science," Thakur said.</div><div style="text-align: -webkit-auto;"><strong><br /></strong></div><div style="text-align: -webkit-auto;"><strong>Evaluating the Enterprise Risk</strong></div><div style="text-align: -webkit-auto;">While Flamer is an immense piece of malware, the risk to most enterprise organizations appears to be moderate. McAfee's Marcus stressed that chances of a U.S.-based enterprise IT shop encountering Flamer aren't all that high.</div><div style="text-align: -webkit-auto;"><br /></div><div style="text-align: -webkit-auto;">"In an attack that is as specific to a geography as Flamer looks to be, there is very little chance of this particular variant hitting a wide number of people," Marcus said.</div><div style="text-align: -webkit-auto;"><br /></div><div style="text-align: -webkit-auto;">There is however a more sinister side effect that may come as a result of the discovery of Flamer. Marcus stressed that one thing malware writers do exceptionally well is that they learn from other malware writers.</div><div style="text-align: -webkit-auto;">"We can expect in the future for someone to learn from Flamer and use it in a future malware variant," Marcus said.</div><div style="text-align: -webkit-auto;"><br /></div><div style="text-align: -webkit-auto;">On a positive note, security researchers for the "good guys" can also learn from Flamer to help protect enterprises and consumers from similar and future threats.</div><div style="text-align: -webkit-auto;"><br /></div><div style="text-align: -webkit-auto;">"You take the things the enemy gives you and you learn what you can," Marcus said. "That's not to say that malware is ever a good thing, but we try and learn from it."</div></div>Anoreply@blogger.com0http://www.anishshaikh.com/2012/05/what-is-flame-malware-and-what-can-we.htmltag:blogger.com,1999:blog-6814340767212059173.post-49996617927778505492012-03-08T15:10:00.001+05:302012-03-08T15:10:13.866+05:30Art of Entrepreneurship: Who to Listen to and Why<div dir="ltr" style="text-align: left;" trbidi="on"><br />The art of entrepreneurship and the science of customer development is not just getting out of the building and listening to prospective customers. It's understanding who to listen to and why.<br /> I got a call from Satish, one of my ex-students last week. He got my attention when he said, "following your customer development stuff is making my company fail." The rest of the conversation sounded too confusing for me to figure out over the phone, so I invited him out to the ranch to chat.<br /><br />When he arrived, Satish sounded like he had 5 cups of coffee. Normally when I have students over, we'd sit in the house and we'd look at the fields trying to catch a glimpse of a bobcat hunting. <br />But in this case, I suggested we take a hike out to Potato Patch pond.<br /> <h2>Potato Patch Pond</h2>We took the trail behind the house down the hill, through the forest, and emerged into the bright sun in the lower valley. (Like many parts of the ranch this valley has its own micro-climate and today was one of those days when it was ten degrees warmer than up at the house.)<br /> As we walked up the valley Satish kept up a running dialog catching me up on six years of family, classmates and how he started his consumer web company. It had recently rained and about every 50 feet we'd see another 3-inch salamander ambling across the trail. When the valley dead-ended in the canyon, we climbed 30-foot up a set of stairs and emerged looking at the water. A "hanging pond" is always a surprise to visitors. All of a sudden Satish's stream of words slowed to a trickle and just stopped. He stood at the end of the small dock for a while taking it all in. I dragged him away and we followed the trail through the woods, around the pond, through the shadows of the trees.<br /> As we circled the pond I tried to both keep my eyes on the dirt trail while glancing sideways for pond turtles and red-legged frogs. When I'm out here alone it's quiet enough to hear the wind through the trees, and after awhile the sound of your own heartbeat. We sat on the bench staring across the water, with the only noise coming from ducks tracing patterns on the flat water. Sitting there Satish described his experience.<br /> <h2>We Did Everything Customers Asked For</h2>"We did every thing you said, we got out of the building and talked to potential customers. We surveyed a ton of them online, ran A/B tests, brought a segment of those who used the product in-house for face-to-face meetings. " Yep, sound good.<br /> "Next, we built a minimum viable product." OK, still sounds good.<br /> "And then we built everything our prospective customers asked for." That took me aback.<br /><br />Everything? I asked? "Yes, we added all their feature requests and we priced the product just like they requested. We had a ton of people come to our website and a healthy number actually activated." That's great I said, "but what's your pricing model?,'"came the reply. Oh, oh. I bet I knew the answer to the next question, but I asked it anyway. "So, what's the problem?" "Well everyone uses the product for awhile, but no one is upgrading to our paid product. We spent all this time building what customers asked for. And now most of the early users have stopped coming back."<br /> I looked at hard at Satish trying to remember where he had sat in my class. Then I asked, "Satish, what's your business model?<br /> <h2>What's Your Business Model?</h2>"Business model? I guess I was just trying to get as many people to my site as I could and make them happy. Then I thought I could charge them for something later and sell advertising based on the users I had."<br /> I pushed a bit harder.<br /> "Your strategy counted on a freemium-to-paid upgrade path. What experiments did you run that convinced you that this was the right pricing tactic? Your attrition numbers mean users weren't engaged with the product. What did you do about it?<br /> "Did you think you were trying to get large networks of engaged users that can disrupt big markets? 'Large' is usually measured in millions of users. What experiments did you run that convinced you could get to that scale?"<br /><br />&nbsp;realized by the look in his eyes that none of this was making sense. "Well I got out of the building and listened to customers." The wind was picking up over the pond so I suggested we start walking.<br /> We stopped at the overlook a top of the waterfall, after the recent rain I had to shout over the noise of the rushing water. I offered that it sounded like he had done a great job listening to customers. And better, he had translated what he had heard into experiments and tests to acquire more users and get a higher percentage of those to activate. <br /> But he was missing the bigger picture. The idea of the tests he ran wasn't just to get data - it was to get insight. All of those activities - talking to customers, A/B testing, etc. needed to fit into his business model - how his company will find a repeatable and scalable business model and ultimately make money. And this is the step he had missed.<br /> <h2>Customer Development = The Pursuit of Customer Understanding</h2>Part of customer development is understanding which customers make sense for your business. The goal of listening to customers is not please every one of them. It's to figure out which customer segment served his needs - both short and long term. And giving your product away, as he was discovering, is often a <em>going out of</em> business strategy.<br /> The work he had done acquiring and activating customers were just one part of the entire business model.<br /> As we started the long climb up the driveway, I suggested his fix might be simpler than he thought. He needed to start thinking about what a repeatable and scalable business model looked like.<br /><br />I offered that acquiring users and then making money by finding payers assumed a multi-sided market (users/payers). But a freemium model assumed a single-sided market - one where the users became the payers. He really needed to think through his revenue model (the strategy his company uses to generate cash from each customer segment). And how was he going to use pricing, (the tactics of what he charged in each customer segment) to achieve that revenue model. Freemium was just one of many tactics. Single or multi-sided market? And which customers did he want to help him get there?<br /> My guess was that he was going to end up firing a bunch of his customers - and that was OK.<br /> As we sat back in the living room, I gave him a copy of <a href="http://www.stevenblank.com/startup_index_qty.html" target="_hplink">The Startup Owner's Manual</a> and we watched a bobcat catch a gopher.<br /> <h2>Lessons Learned</h2><ul><li>Getting out of the building is a great first step</li><li>Listening to potential customers is even better</li><li>Getting users to visit your site and try your product feels great</li><li>Your job is not to make every possible customer happy</li><li>Pick the customer segments and pricing tactics that drive your business model</li></ul><br /><br /></div>Anoreply@blogger.com0http://www.anishshaikh.com/2012/03/art-of-entrepreneurship-who-to-listen.htmltag:blogger.com,1999:blog-6814340767212059173.post-72255118831310729302012-03-08T14:03:00.003+05:302012-03-08T14:03:46.143+05:30Enterprise risk management strategies for Chief Information Officer (CIO)<div dir="ltr" style="text-align: left;" trbidi="on"><br />Risk management is critical for any enterprises embarking on new IT projects and plans. There’s the risk of offshore outsourcing — how do you ensure your data is safe in the hands of a worker in another country? There are also risks in managing compliance efforts especially in offshore business operation. These include closing down your company or losing your position if the job isn’t done correctly. How do CIOs calculate and management risk? Take a look at the enterprise risk management strategies in this CIO Briefing for insight and advice on this important topic.<br />This share CIO Briefings series, which is allow to give IT leaders strategic guidance and advice that addresses the management and decision-making aspects of timely topics.<br /> <strong><span style="text-decoration: underline;">Managing operational risk</span></strong><br /> The common news headlines continue: systems failures, data breaches, project delays, troubled products, trading failures, money laundering through mobile networks. These are just some of the sinkholes in operational-risk land related to information technology. The question is, why? Why do they keep coming despite efforts to prevent them?<br />Why can’t I just get a single view of risk to the business, especially a particular business activity or process? What makes this so difficult? Most exasperated CIO asked at an executive briefing held by a chapter of the ISACA IT security organization after I discussed IT-related business risk.<br /> One bad business-IT decision killed our company! Griming reality, right?<br /> Analyzing IT-related risk in silos leaves gaps and frustrates business leaders. Responding to IT risk in silos increases cost, creates prioritization errors and unleashes other gremlins. Silos can lead to both fundamental errors (such as thinking that IT security equals IT risk management, or that IT compliance equals IT risk management) and more complex errors (such as missing the ways risks in a shared infrastructure affect business processes).<br />Every organization should be able to articulate how IT threats can harm a business. How a five-step risk management strategy, based on a risk management standard like ISO 31000, makes it easier to explain how IT threats become business threats.<br /> <span style="text-decoration: underline;"><strong>How risk management standards can work for enterprise IT</strong></span><br /> IT security and risk professionals have historically had a hard time articulating how IT threats might negatively impact the business. That needs to change. Attacks on government sites, substantial fraud, and massive privacy breaches continue to expose to the world the high level of risk connected to our corporate and national IT infrastructure. Executives and managers will need to rely more on IT security data and analysis in order to better protect their corporate interests.<br /> As internal and external pressure intensifies, IT professionals must adopt more sophisticated risk management practices so they can better articulate risks, mitigation plans and overall exposure. This means combining both security and risk mentalities, which can be difficult to translate into practical tools and processes.<br />Rather than start from scratch, security professionals should utilize the standards and guidance available in the enterprise risk management (ERM) domain. The fundamental risk management processes that should be applied to IT risk management, based on the new, streamlined risk management standard from the International Organization for Standardization (ISO): ISO 31000. The following five steps provide guidance for building a formal, ISO 31000-based IT risk management program that communicates well with, and adds value to, the rest of the organization:<br /> <em><strong><br />Step 1: Establish the context</strong></em><br /> This step may seem esoteric or even irrelevant, but without clear definitions, there will be organizational confusion and arguments over responsibilities later on. Begin by identifying individuals with risk experience (internally or externally) to help formalize tools and methods for identifying, measuring, and analyzing risk. Once formal roles have been established, risk professionals should document the IT organization’s core objectives and define the ways in which IT risk management supports them.<br /> Establishing risk appetites and tolerance during this first stage will help prioritize risk mitigation efforts later on. Conversations with risk management clients have indicated that most organizations initially choose to rank certain categories of risk for which they have less tolerance, rather than trying to develop quantifiable risk appetites. This is a good first step, but these organizations will eventually need more granular criteria to make informed decisions about which specific risks to focus on.<br /> <em><strong>Step 2: Identify the risks</strong></em><br /> Risk managers will need to tap into their creativity to create a comprehensive list of potential risks. Risks not identified at this stage will not be analyzed or evaluated later on, so having an overly exhaustive list is preferable to one that is overly limited. Start by conducting workshops with relevant stakeholders, identifying the broad range of issues that could impair their objectives, processes and assets.<br />Forrester clients that have been using IT control frameworks, such as Control Objectives for Information and related Technology (COBIT) or ISO 27002, often find them to be useful guides for categorizing their risks. Note that risks should be specific to your organization, not a generic list. Plan to reexamine your full list of risks at least on an annual basis to identify any new or emerging risks.<br /> <em><strong>Step 3: Analyze the risks</strong></em><br /> Security professionals typically have a good understanding of events and issues that might undermine IT processes; however, it’s often harder for them to determine what the impact will be to the IT department or the organization as a whole. Work closely with business stakeholders to understand criticality and impact. It may even be possible to leverage the business impact analysis work done by the business continuity team to fill in some of the gaps.<br />Many organizations have found it helpful to create a scale by which to approximate the level of likelihood and impact. For example, some companies create a matrix to measure the likelihood of risks based on characteristics such as exposure or attractiveness of target, and impact based on characteristics such as potential financial costs or reputation damage. The result is a “heat map” that helps prioritizes mitigation efforts on the set of risks with the highest combined likelihood and impact ratings.<br /> <em><strong>Step 4: Evaluate the risks</strong></em><br /> Levels of risk after controls have been accounted for (i.e., residual risk) that fall outside of the organization’s risk tolerance will require treatment decisions. The risk appetite and thresholds previously defined will provide guidelines for when to avoid, accept, share, transfer, or mitigate risks. The decisions themselves should be made by individuals who are granted authority or accountability to manage each risk, with input from others who may be positively or negatively affected.<br /> For some risks, the initial analysis may only allow you to determine that your exposure is potentially high enough to warrant further investigation. Make sure to conduct further analysis when necessary.<br /> <em><strong>Step 5: Treat the risks</strong></em><br /> If the treatment decision involves the mitigation of risk, organizations need to design and implement controls to reduce threats to the organization’s achievement of objectives. Many risks will require more than one control (i.e. policies, training, prevention measures, etc.) to decrease their expected likelihood and/or impact. Conversely, some controls may mitigate more than one risk. It’s a good idea to consider multiple reevaluations during implementation.<br />Look out for peripheral effects caused by risk treatments that introduce new risks and/or opportunities. For example, the decision to transfer risk to a business partner may increase risk of that partner becoming disloyal.<br />Very few organizations have fully adopted risk management standards in any aspect of their business, and IT departments are no exception. Forrester recommends providing common guidance for all risk groups, collaborating with peers in functions such as audit and compliance, and settling on policies and procedures before turning to risk management technologies. These steps should help IT risk management programs improve their ability to work closely with the business and achieve a level of commitment in line with the level of risk they’re expected to address.<br /> <span style="text-decoration: underline;"><strong>Strategic risk management includes risk-based approach to compliance</strong></span><br /> What is strategic risk management for compliance? and the answer will depend on who’s talking. But the gist is this: Rather than allowing the ever-multiplying regulatory mandates to determine a compliance program, an organization focuses on the threats that really matter to its business — operational, financial, and environmental and so on — and implements the controls and processes required protecting against them.<br />Focusing on protecting the business will result in a strategic risk management program that, in theory, will answer compliance regulations but in some cases go well beyond the mandate. A risk management approach, say advocates, also saves money by reducing the redundant controls and disparate processes that result when companies take an ad hoc approach.<br /> The scope of protection against threats and degree of compliance depends on an organization’s risk appetite. The appetite for risk can wax and wane, depending on externalities such as a data breach, a global economic crisis or an angry mob of customers outraged by executive pay packages. When companies are making big profits, they can spend their way out of a compliance disaster. In financially rocky times, however, there is much less margin for error.<br />IT pros like Alexander and a variety of experts suggest that while a risk-based approach to compliance might be the right thing to do, it is also difficult, requiring that the organization:<br /> •&nbsp;Define its risk appetite.<br />•&nbsp;Inventory the compliance obligations it faces.<br />•&nbsp;Understand the threats that put the various aspects of the business at risk.<br />•&nbsp;Identify vulnerabilities.<br />•&nbsp;Implement the controls and processes that mitigate those threats.<br />•&nbsp;Measure the residual risk against the organization’s risk appetite.<br />•&nbsp;Recalibrate its risk appetite to reflect internal and external changes in the threat landscape.<br /> A risk-based approach to compliance requires a certain level of organizational maturity and, some experts hasten to add, is ill-advised for young companies.<br /> Strategic risk management for compliance can be managed manually or by Excel spreadsheets, but vendors promise that sophisticated governance, risk and compliance (GRC) technology platforms will ease the pain. Meantime, those baseline compliance regulations still need to be met to an auditor’s satisfaction.<br /> Do you know what level of risk your organization can tolerate?<br /> The assumption in a risk management approach to compliance is that the business knows best about the risk level it can tolerate.<br /> When it comes to risk management, getting your head around a tolerance level is extremely difficult.<br />Then there’s the dirty little secret of every organization: For hundreds of years, businesses have been managing risk intuitively: which perceive there’s to be a risk; therefore we build control. But most controls are built to a perception of the risk and a perception of the scope of the risks, without really stopping to consider what is the real risk and is this the right control.<br /> By not doing the risk-benefit analysis, companies get the controls wrong. Spending $1 million control mitigating a $100,000 risk – not making any sense at all.<br /> <span style="text-decoration: underline;"><strong><br />The short end of the cost-benefit analysis</strong></span><br /> Back in the 1970s, Ford Motor Co. was sued for allegedly making the callous calculation that it was cheaper to settle with the families of Pinto owners burnt in rear-end collisions than to redesign the gas tank. The case against Ford, as it turns out, was not so cut and dried, but the Pinto lives on in infamy as an example of a company applying a cost-benefit analysis and opting against the public’s welfare.<br /> Regulations introduce externalities that risk management itself would not have brought to bear and Regulations make it a cost of doing business.<br /> A recent example concerns new laws governing data privacy. For many years in the U.S., companies that collected personally identifiable information owned that data. In the past, losing that information didn’t hurt the collector much but could cause great harm to the consumer,&nbsp; hence the regulations.&nbsp; But the degree to which a business decides to meet the regulation varies, depending — once again — on its tolerance for risk. Organizations must decide whether they want to follow the letter of the law to get a checkmark from the auditor, Henry said, or more fully embrace the spirit of the law.<br /> Is your philosophy as an organization minimal or maximal? And if it is minimal, you may decide that it is worth it to get a small regulatory fine rather than comply.<br /> Indeed, “businesses now are cutting costs so narrowly that some know their controls are inadequate and are choosing not to spend that $1 million to put the processes, the people and infrastructure in place for that $100,000 fee.&nbsp; They calculate they’re still $900,000 ahead but don’t expect a business to own up to that. They never let that cat out of the bag.<br /> <span style="text-decoration: underline;"><strong>Sarbanes-Oxley drives risk management strategy</strong></span><br /> Compliance is expensive. It is hardly surprising that companies are looking for ways to reduce the cost of regulatory compliance or, better yet, use compliance to competitive advantage. According to Boston-based AMR Research Inc.’s 2008 survey of more than 400 business and IT executives, GRC spending totaled more than $32 billion in 2008, a 7.4% increase from the prior year.<br /> The year-over-year growth was actually less than the 8.5% growth from 2006 to 2007, but the data shows that spending among companies is shifting from specific GRC projects to a broad-based support of risk. In addition to risk and regulatory compliance, respondents told AMR they are using GRC budgets to streamline business processes, get better visibility to operations, improve quality and secure the environment.<br /> In prior years, compliance as well as risk of noncompliance was the primary driving force behind investments in GRC technology and services. GRC has emerged as the new compliance.<br /> Folding regulatory mandates into the organization’s holistic risk management strategy gained momentum in the wake of the Sarbanes-Oxley Act of 2002 (SOX), one of the most expensive regulations imposed on companies. SOX was passed as protection for investors after the financial fraud perpetrated by Enron Corp. and other publicly held companies, but it was quickly condemned by critics as a yoke on American business, costing billions of dollars more than projected and handicapping U.S. companies in the global marketplace.<br /> Indeed, the law’s initial lack of guidance on the infamous Section 404 prompted many companies to err on the (expensive) side of caution, treating the law as a laundry list of controls. In 2007, under fire from business groups, the Securities and Exchange Commission and Public Company Accounting Oversight Board issued a new set of rules encouraging a more top down-approach to SOX.<br /> There are certain areas mandated you wouldn’t want to meddle with — it is legal and no exceptions — but instead of checking every little box, companies were advised to take a more risk-based approach.<br /> <span style="text-decoration: underline;"><strong>Risk management frameworks and automated controls</strong></span><br /> Risk management frameworks are not new, and neither, really, is a risk-based approach to compliance. But the strategy has been gaining ground, driven in large part by IT as well as by IT best practices frameworks such as COBIT and the IT Infrastructure Library.<br /> Fifteen years ago at any well-managed organization, 75% of controls were manual. Today, the industry benchmark is the other way around. IT drives about 90% of the controls and 10% are manual. The endpoint is to move the 10% manual controls to automated controls.<br /> Two fundamental building blocks are essential to adopting a risk-based approach to compliance. A stable systems and processes, and a strong business ethos. If a company has absolutely diverse processes, it is not a good choice it’s more like crisis management than risk management for those guys — compliance Whack-a-Mole.<br /> Formulating a strategic risk management strategy also requires a clear definition of the values and principles that drive the organization’s business — in other words, a certain level of maturity. If the ethos is loosely defined, then it is not safe to take a holistic approach to compliance.<br /> Companies that make the grade, that give consistent guidance to investors indeed any that operate successfully in the SOX arena are probably ready for a risk-based approach.<br /> <span style="text-decoration: underline;"><strong>Navigating social media risks</strong></span><br /> Developing corporate social media policies is an ongoing experiment akin to the struggle enterprises endured when the Internet and email were introduced as business tools. Enterprises should not assume, however, that the policies they developed over many years for Internet and email use are a perfect fit for social media.<br /> Companies are making a mistake when they say social media is the same as email and chat. there’s enough that is different about social media that you need to be blunt and state the [rules of behavior] again, even if they’re the same words [used for older e-communications polices] — which I doubt they will be.<br /> For starters, e-discovery polices will change, given the free-for-all nature of social networking, according to Stew Sutton, principal scientist for knowledge management at The Aerospace Corp., a federally funded research and development center in El Segundo, Calif. His organization has no limits on email retention, but with “social conversations, wikis, blogs and tweet streams, the mass of data sitting out there becomes a problem,” he said. The issues can make e-discovery “extremely costly.”<br /> <span style="text-decoration: underline;"><strong>CIOs weigh use of social media against security concerns</strong></span><br /> One of the Medical Center, a private hospital center affiliated with one U.S. University, blocks access to all social media websites using security software from Websense Inc. Users who attempt to use such sites as Facebook, YouTube or Twitter are shown a page indicating that their destination is off-limits. Nevertheless, the debate about whether to open up access to such sites or to keep blocking them remains contentious.<br /> In fact, the discussion comes up “practically on a daily basis,” said Brad Blake, director of IT at BMC. “As you can imagine, we have a lot of users who want access to these sites, but for a variety of reasons we do not feel comfortable opening them.”<br /> If BMC created a Facebook account and asked its patients to be friends, that would constitute a security breach, senior management has felt it easier just to block these sites rather than trying to police and manage them.<br />CIOs faced with the use of social media as a business tool are hard-pressed to balance that business need against security concerns. Some are so hard-pressed, in fact, that they begged off being interviewed for this story, asserting they are too new to the game to speak knowledgeably about security tools for social media. Other CIOs were pressured by their public relations people not to broadcast their thinking, for security reasons. Even those who agreed to describe their strategy for securing social media were hesitant about providing details about their IT tools. And others were in a position similar to Blake: As their companies wrestled with how the business should use social media, the default position was to simply block access.<br /> We are finding that a lot of these policies are disallowing use of social media, even when there is a business need. Companies have people bringing in social media and using it faster than the policies and the security groups can keep up with.<br /> Not so long ago, the notion seemed absurd that employees would use a social media website like YouTube for business purposes. Now, many marketing departments are putting videos on YouTube, as well as tracking videos that competitors post. But protecting the business from the risks of social media while facilitating a legitimate business need — at least on a proactive basis — remains outside the grasp of many businesses.<br /> People are not there yet. A lot of the tools — access controls being one — are coarse and crude. Implementing nuanced, automated rules that, for example, allow a marketing department to use YouTube as long as it takes up only so much bandwidth, or is used only during a certain time, is “very difficult.<br /> Companies need to monitor their networks and desktops, as well as their social networks, to find out what employees and outsiders are saying about the company. In such situations, however, often the best that can be done with existing technology is to detect problems after the fact.<br /> Most security professional encourages CIS to track company information that shows up on social media sites. There are numerous analytic tools for Twitter, including TweetStats,Twitter Grader and Hootsuite. Such Web and content filtering tools as Websense’s SurfControl cover the Internet and email. Indeed, internal tools for monitoring employees’ Internet use have been in place for a long time.&nbsp; Most good firewalls will spit out variances — a red light alerting this person is uploading 2 GB of data.<br /> Security tools aren’t that smart, however. “Intrusion prevention systems aren’t smart enough to shut off connections based on the content or syntax of something that people are posting,” Baumgarten said. A clear policy on the use of social media is still the first line of defense against social media threats.<br /> <span style="text-decoration: underline;"><strong>Avoiding cloud computing risks</strong></span><br /> Following the recent downtime and data breaches at top-tier cloud service providers including Amazon Web Services LLC, Sony Corp. and Epsilon Data Management LLC, the risk deck has been shuffled at enterprises looking to move to hybrid cloud computing. Two risks that lurked in the middle of our top 10 list — liability and identity management — have floated to the top.<br /> Once again, enterprise executives are talking about the need for cloud insurance, or at least a discussion about who is responsible when the cloud goes down. Presently, public clouds offer standardized service-level agreements, or SLAs, that offer remuneration for time — but not for potential business — lost during the downtime. Recent events could be opportunities for providers and CIOs to negotiate premium availability services, according to experts.<br />Why is cloud computing so hard to understand? It would be an equally fair question to ask why today’s Information Technology is so hard to understand. The answer would be because it covers the entire range of business requirements, from back-office enterprise systems to various ways such systems can be implemented. Cloud computing covers an equal breadth of both technology and, equally important, business requirements. Therefore, many different definitions are acceptable and fall within the overall topic.<br /> But why use the term “cloud computing” at all? It originates from the work to develop easy-to-use consumer IT (Web 2.0) and its differences from existing difficult-to-use enterprise IT systems.<br /> A Web 2.0 site allows its users to interact with other users or to change content, in contrast to non-interactive Web 1.0 sites where users are limited to the passive viewing of information. Although the term Web 2.0 suggests a new version of the World Wide Web, it does not refer to new technology but rather to cumulative changes in the ways software developers and end-users use the Web.<br /> World Wide Web inventor Tim Berners-Lee clarifies, “I think Web 2.0 is, of course, a piece of jargon; nobody even knows what it means. If Web 2.0 for you is blogs and wikis, then that is ‘people to people.’ But that was what the Web was supposed to be all along. The Web was designed to be a collaborative space where people can interact.”<br /> In short, Web 2.0 isn’t new technology; it’s an emerging usage pattern. Ditto for cloud computing; it’s an emerging usage pattern that draws on existing forms of IT resources. Extending Berners-Lee’s definition of Web 2.0, the companion to this book, Dot Cloud: The 21st Century Business Platform, helps clarify that cloud computing isn’t a new technology:<br /> “The cloud is the ‘real Internet’ or what the Internet was really meant to be in the first place, an endless computer made up of networks of networks of computers.”<br /> “For geeks,” it continues, “cloud computing has been used to mean grid computing, utility computing, Software as a Service, virtualization, Internet-based applications, autonomic computing, peer-to-peer computing and remote processing — and various combinations of these terms. For non-geeks, cloud computing is simply a platform where individuals and companies use the Internet to access endless hardware software and data resources for most of their computing needs and people-to-people interactions, leaving the mess to third-party suppliers.”<br /> <span style="text-decoration: underline;"><strong><br />Cloud’s birth in the new world</strong></span><br /> Again, cloud computing isn’t new technology; it’s a newly evolved delivery model. The key point is that cloud computing focuses on the end users and their abilities to do what they want to do, singularly or in communities, without the need for specialized IT support. The technology layer is abstracted, or hidden, and is simply represented by a drawing of a “cloud.” This same principle has been used in the past for certain technologies, such as the Internet itself. At the same time, as the Web 2.0 technologists were perfecting their approach to people-centric collaboration, interactions, use of search and so on, traditional IT technologists were working to improve the flexibility and usability of existing IT.<br /> This was the path that led to virtualization, the ability to share computational resources and reduce the barriers of costs and overhead of system administration. Flexibility in computational resources was in fact exactly what was needed to support the Web 2.0 environment. Whereas IT was largely based on a known and limited number of users working on a known and limited number of applications, Web 2.0 is based on any number of users deploying any number of services, as and when required in a totally random dynamic demand model.<br /> The trend toward improving the cost and flexibility of current in-house IT capabilities by using virtualization can be said to be a part of cloud computing as much as shifting to Web-based applications supplied as services from a specialist online provider. Thus it is helpful to define cloud computing in terms of usage patterns or “use cases” for internal cost savings or external human collaboration more than defining the technical aspects.<br /> There are differences in regional emphases on what is driving the adoption of cloud computing. The North American market is more heavily focused on a new wave of IT system upgrades; the European market is more focused on the delivery of new marketplaces and services; and the Asian market is more focused on the ability to jump past on-premise IT and go straight to remote service centers.<br /> <span style="text-decoration: underline;"><strong><br />How the cloud shift affects front-office activities?</strong></span><br /> There is a real shift in business requirements that is driving the “use” as a defining issue. IT has done its work of automating back office business processes and improving enterprise efficiency very well, so well that studies show the percentage of an office worker’s time spent on processes has dropped steadily. Put another way, the routine elements of operations have been identified and optimized. But now it’s the front office activities of interacting with customers, suppliers and trading partners that make up the majority of the work.<br /> Traditional IT has done little to address this, as its core technologies and methodologies of tightly-coupled, data-centric applications simply aren’t suitable for the user-driven flexibility that is required in the front office. The needed technology shift can be summarized as one from “supply push” to “demand pull” of data, information and services.<br /> Business requirements are increasingly being focused on the front office around improving revenues, margins, market share and customer services. To address these requirements, a change in the core technologies is needed in order to deliver diversity around the edge of the business where differentiation and real revenue value are created. Web 2.0 user-centric capabilities are seen as a significant part of the answer.<br /> The technology model of flexible combinations of “services” instead of monolithic applications, combined with user-driven orchestration of those services, supports this shifting front office emphasis on the use of technology in business. It’s not even just a technology and requirement match; it’s also a match on the supply side. These new Web 2.0 requirements delivered through the cloud offer fast, even instantaneous, implementations with no capital cost or provisioning time.<br /> This contrasts to the yearly budget and cost recovery models of traditional back office IT. In fact many cloud-based front office services may only have a life of a few weeks or months as business needs continually change to suit the increasingly dynamic nature of global markets. Thus the supply of pay-as-you-go instant provisioning of resources is a core driver in the adoption of cloud computing. This funding model of direct cost attribution to the business user is in stark contrast to the traditional overhead recovery IT model.<br /> While cloud computing can reduce the cost and complexity of provisioning computational capabilities, it also can be used to build new shared service centers operating with greater effectiveness “at the edge” of the business where there’s money to be made. Front office requirements focus on people, expertise and collaboration in any-to-any combinations.<br />According to Dot Cloud, “There will be many ways in which the cloud will change businesses and the economy, most of them hard to predict, but one theme is already emerging. Businesses are becoming more like the technology itself: more adaptable, more interwoven and more specialized . These developments may not be new, but the advent of cloud computing will speed them up.”<br /> There are many benefits to the various cloud computing models. But for each benefit, such as cost savings, speed to market and scalability, there are just as many risks and gaps in the cloud computing model.<br />The on-demand computing model in itself is a dilemma. With the on-demand utility model, enterprises often gain a self-service interface so users can self-provision an application, or extra storage from an Infrastructure as a Service provider. This empowers users and speeds up projects.<br /> The flip side: Such services may be too easy to consume. Burton Group Inc. analyst Drue Reeves, speaking at the firm’s Catalyst show last week, shared a story of a CIO receiving bills for 25 different people in his company with 25 different accounts with cloud services providers. Is finance aware of this, or will it be in for a sticker shock?<br /> Lack of governance can thus be a problem. The finance department may have to address users simply putting services on a credit card, and there’s also the issue of signing up for services without following corporate-mandated procedures and policies for security and data privacy. Does the information being put in the cloud by these rogue users contain sensitive data? Does the cloud provider have any regulatory compliance responsibility, and if not, then is it your problem?<br /> There are several other big what-ifs regarding providers. For example, do they have service-level agreements (SLAs)? Can you get an SLA that covers security parameters, data privacy, reliability/availability and uptime, data and infrastructure transparency?<br /> The main issues are you can’t see behind the [cloud providers'] service interface so you don’t know what their storage capabilities really are, what their infrastructure really is … so how can you make SLA guarantees [to users]?<br />Furthermore, would the provider be able to respond to an e-discovery request? Is that on the SLA, and is that information classified, easily accessible and protected?<br /> For some companies, a lack of an SLA is not an issue. For CNS Response Inc., a psychopharmacology lab service that provides a test for doctors to match the appropriate drug to a behavioral problem, not having an SLA with Saleforce.com Inc. was a moot point.<br /> But is this good enough for a large enterprise? That question remains, and experts said it will be up to customers to push vendors to provide appropriate SLAs.<br /> In fact, a big message at the show was pushing vendors to do such things as:<br />Have open application programming interfaces (APIs). There is an inability to monitor and manage APIs on many levels. Customers cannot see where their data resides at their cloud provider, and more importantly, there is no application or service management layer to gain visibility into the performance and management of the application.<br /> There has to be a management layer so customers can see what and where their assets are for the cloud, what systems are used by which applications. Just think of the cloud as your own data center.<br /> Create fair licensing schemes. Enterprises should be pushing cloud providers to move away from licensing based on physical hardware and compute resources to licenses based on virtual CPUs, managed or installed instances and user seats.<br /> Which brings up another significant what-if: What happens to your data in a legal entanglement?<br />What if you miss paying a bill, or decide not to pay a bill for various reasons, like dissatisfaction with the service? Do you lose your data? Is access to your data put on hold?<br /> There are a lot of questions as to who ultimately owns the data for e-discovery purposes, or if you decide to switch providers. Will you have to start all over if you didn’t put the code in escrow, for example?<br /> Cloud computing touts many benefits, but Burton experts at the show said enterprises need to be aware of the what-ifs: What does this really mean for my bottom line, how do I govern this, who really has access to my data and what do the cloud computing providers really have to offer?<br /></div>Anoreply@blogger.com0http://www.anishshaikh.com/2012/03/enterprise-risk-management-strategies.htmltag:blogger.com,1999:blog-6814340767212059173.post-90864053453521850392012-02-02T19:33:00.000+05:302012-02-02T20:08:11.557+05:30Introduction to Security as a Service<div dir="ltr" style="text-align: left;" trbidi="on"><br />The mission statement of the Cloud Security Alliance is “… a non-profit organization formed to promote the use of best practices for providing security assurance within Cloud Computing, and provide education on <strong>the uses of Cloud Computing to help secure all other forms of computing</strong>.” In order to provide greater focus on the second part of our mission statement, the CSA is embarking on a new research project to provide greater clarity on the area of <strong>Security as a Service</strong>. A whitepaper will be produced as a result of this research, which will also be considered to be a candidate new domain for version 3 of the <a href="https://cloudsecurityalliance.org/research/projects/security-guidance-for-critical-areas-of-focus-in-cloud-computing/">CSA guidance</a>.<br />Numerous security vendors are now leveraging cloud based models to deliver security solutions. This shift has occurred for a variety of reasons including greater economies of scale and streamlined delivery mechanisms. Regardless of the motivations for offering such services, consumers are now faced with evaluating security solutions which do not run on premises. Consumers need to understand the unique nature of cloud delivered security offerings so that they are in a position to evaluate the offerings and to understand if they will meet their needs.<br />The purpose of this research will be to identify consensus definitions of what Security as a Service means, to categorize the different types of Security as a Service and to provide guidance to organizations on reasonable implementation practices. Other research purposes will be identified by the working group.<br /><br />[<a href="https://cloudsecurityalliance.org/wp-content/uploads/2011/09/SecaaS_V1_0.pdf" target="_blank">PDF Paper</a>]</div>Anoreply@blogger.com0http://www.anishshaikh.com/2012/02/introduction-to-security-as-service.htmltag:blogger.com,1999:blog-6814340767212059173.post-30195474070718874952012-01-30T19:30:00.001+05:302012-01-30T19:30:35.048+05:30Paper on Computer Forensics Timeline Anlaysis<div dir="ltr" style="text-align: left;" trbidi="on"><br />Computer forensics requires applying computer science to answer legal questions. Arranging events<br />chronologically is a good way of telling a clear, concise story. As valuable as date-- and time--based<br />information often is to a case, none of the leading forensic tools offer usable date and time oriented tools.<br />Log2timeline is an excellent tool for extracting date and time based information from digital evidence. In<br />fact, the amount of information it extracts can overwhelm the examiner. [<a href="http://www.sans.org/reading_room/whitepapers/incident/computer-forensic-timeline-analysis-tapestry_33836" target="_blank">PDF</a>]<br /><br /><br /><br /></div>Anoreply@blogger.com0http://www.anishshaikh.com/2012/01/paper-on-computer-forensics-timeline.htmltag:blogger.com,1999:blog-6814340767212059173.post-15197858555114585492011-06-09T16:03:00.000+05:302011-08-30T17:45:12.876+05:30Citibank Hacked, Credit Card customers Exposed?<div dir="ltr" style="text-align: left;" trbidi="on"><span class="Apple-style-span" style="font-family: Georgia, 'Times New Roman', serif;"><span class="Apple-style-span" style="color: #333333; line-height: 13px;"></span></span><br /><div style="margin-bottom: 1em; margin-left: 0px; margin-right: 0px; margin-top: 0px; padding-bottom: 0px; padding-left: 0px; padding-right: 0px; padding-top: 0px;"><span class="Apple-style-span" style="font-family: Georgia, 'Times New Roman', serif;">Time to check with Citibank if your credit card details was compormised or not and if you don't trust citibank.. Go ahead and ask them to cancel the current credit card and get a new one.. I am already in a process to do it btw..&nbsp;</span></div><span class="Apple-style-span" style="font-family: Georgia, 'Times New Roman', serif;"><span class="Apple-style-span" style="color: #333333; line-height: 13px;">Citigroup has acknowledged that unidentified hackers breached security and gained access to the data of hundreds of thousands of its bank card customers.</span><span class="Apple-style-span" style="color: #333333; line-height: 13px;"><div style="margin-bottom: 1em; margin-left: 0px; margin-right: 0px; margin-top: 0px; padding-bottom: 0px; padding-left: 0px; padding-right: 0px; padding-top: 0px;">“During routine monitoring, we recently discovered unauthorized access to Citi’s Account Online,” the bank said in an e-mailed statement. “We are contacting customers whose information was impacted.”</div><div style="margin-bottom: 1em; margin-left: 0px; margin-right: 0px; margin-top: 0px; padding-bottom: 0px; padding-left: 0px; padding-right: 0px; padding-top: 0px;">The giant bank said about one percent of its bank card holders had been affected, putting the total count of customers exposed in the hundreds of thousands based on<a href="http://www.citi.com/citi/fin/data/ar10c_en.pdf?ieNocache=415" style="color: #346f9a; text-decoration: none;">its annual report</a>&nbsp;for last year, which said its card business had about 21 million customers in North America.</div><div style="margin-bottom: 1em; margin-left: 0px; margin-right: 0px; margin-top: 0px; padding-bottom: 0px; padding-left: 0px; padding-right: 0px; padding-top: 0px;">While information concerning customers’ names, account numbers, addresses and e-mail addresses was exposed, the bank said that data like clients’ “social security number, date of birth, card expiration date and card security code (CVV) were not compromised.”</div><div style="margin-bottom: 1em; margin-left: 0px; margin-right: 0px; margin-top: 0px; padding-bottom: 0px; padding-left: 0px; padding-right: 0px; padding-top: 0px;">“Citi has implemented enhanced procedures to prevent a recurrence of this type of event,” the bank said. “For the security of these customers, we are not disclosing further details.”</div></span></span></div>Anoreply@blogger.com0http://www.anishshaikh.com/2011/06/citibank-hacked-credit-card-customers.htmltag:blogger.com,1999:blog-6814340767212059173.post-16394031793029936022011-06-09T15:57:00.000+05:302011-08-30T17:45:12.918+05:30Google infrastructure is old and not up to the mark - Edge for MS and Yahoo?<div dir="ltr" style="text-align: left;" trbidi="on"><br />A former Google engineer who worked on a library at the heart of "nearly every Java server at Google" has dubbed the company's much-ballyhooed backend software "well and truly obsolete".<br />In a <a href="http://rethrick.com/#waving-goodbye" target="_blank">blog post published earlier this week</a>, Dhanji R. Prasanna announced that he had resigned from the company, and though he praised Google in many ways, he made a point of saying that the company's famously distributed back-end is behind the times.<br /><div id="article-mpu-container"> <div class="ad-now" id="ad-mpu1-spot" style="height: auto; margin-top: 0px; width: auto;"> <div id="ad-mpu1"></div></div>"Here is something you may have heard but never quite believed before: Google's vaunted scalable software infrastructure is obsolete," he wrote. "Don't get me wrong, their hardware and datacenters are the best in the world, and as far as I know, nobody is close to matching it. But the software stack on top of it is 10 years old, aging and designed for building search engines and crawlers. And it is well and truly obsolete."<br /></div>As a member of the Google Wave team, Prasanna helped build the search and indexing pipelines for the ill-fated effort to reinvent communication on the web, but he also worked on Guice, a library "at the heart of nearly every single Java server at Google".<br />Prasanna did not immediately respond to a request to discuss his post. But he goes on to describe Google's Protocol Buffers, BigTable distributed database, and MapReduce distributed number-crunching platform as "ancient, creaking dinosaurs", compared with outside open source projects like MessagePack, JSON, and Hadoop, which is based on the ideas behind Google's MapReduce and distributed file system.<br />Google has previously acknowledged some short comings with the likes of MapReduce. But Prasanna went so far that newer Google infrastructure projects such as <a href="http://www.cidrdb.org/cidr2011/Papers/CIDR11_Paper32.pdf" target="_blank">Megastore</a> as well as developer tools such as Google Web Toolkit and <a href="http://code.google.com/closure/" target="_blank">Closure</a> were "sluggish, overengineered Leviathans" compared to projects like MongoDB and jQuery. He complained that Google's new projects are "designed by engineers in a vacuum, rather than by developers who have need of tools."<br />Google is secretive about its back-end software infrastructure. It has published research papers on platforms such as the Google File System, Google MapReduce, and BigTable, but it otherwise says very little about how these platforms are used within the company. And, yes, the platforms are closed source.<br />On the public mailing list for Google App Engine – an online service that lets you run your own applications atop Google's infrastructure – Google developer programs engineer Ikai Lan took issue with at least some of Prasanna's post.<br />"The bit about Hadoop, for instance, raised a lot of eyebrows amongst Googlers who have extensive use of both (new hires with a few years Hadoop experience)," he said. "I'd also disagree that we are not rebuilding things. In fact, Google has the opposite problem of other technology companies: instead of 'don't touch it, it works!', we err on the side of 'it can be better, we should improve it - mid flight!'"<br />Prasanna did not actually say that Google has failed to rebuild its platforms. At one point, he specifically mentioned Megastore, a real-time, high-replication layer built atop BigTable. But he did imply that efforts to rebuild at Google are slow.<br />"In the short time I've been outside Google I've created entire apps in Java in the space of a single workday," he said. "I've gotten prototypes off the ground, shown it to people, or deployed them with hardly any barriers." This, however, would seem to describe a switch from any large corporation.<br /><br /><br />Last year, in an interview with the Association for Computer Machinery (ACM), a Google engineer acknowledged that GFS was unsuited for low-latency, real-time applications like YouTube and Gmail, and he said that Google was working to build a new version of the file system.<br /><div id="article-mpu-container"> <div class="ad-now" id="ad-mpu1-spot" style="height: auto; margin-top: 0px; width: auto;"> <div id="ad-mpu1"></div></div>Googler Matt Cutts later told <i>The Register</i> that this "GFS 2" was part of the company's new search infrastructure codenamed Caffeine.<br /></div>Several months later, at the launch of Google's Instant search interface, Eisar Lipkovitz, a senior director of engineering at the company, told us that within the company, GFS 2 is known as Colossus and that it moves the company's search indexing system off of MapReduce and onto BigTable.<br />A few weeks later, Google published a paper on Colossus and a new distributed data processing system known as Percolator. But according to Lipkovitz, these platforms were built specifically for search and may or may not be applied to other Google services.<br />For year, database guru Mike Stonebraker has criticized MapReduce and GFS, and Lipkovitz told us that Google has made "similar observations". MapReduce, he told us, is not suited to calculations that need to occur in near realtime.<br />Google has also said that the single-master design of GFS is a major limitation. "A single point of failure may not have been a disaster for batch-oriented applications, but it was certainly unacceptable for latency-sensitive applications, such as video serving," said Google's Sean Quinlan in his interview with the ACM. Colossus does not have this limitation.<br />At the moment, the open source version of Hadoop is burdened with single points of failure. But Facebook is running a version that eliminates these limitations.<br />In a recent conversation with <i>The Register</i>, Dwight Merriman, the CEO of 10gen, the company that founded the open source MongoDB distributed database, argued that MongoDB is superior to BigTable because it uses a document-oriented data model rather than tabular model.<br />"Today, 95 per cent of the code we're writing is in an object-oriented language," he said. "We're to the point where object-oriented programming is ubiquitous enough, having a database that works well with that sort of thing is important."<br />He said that Megastore is an improvement on BigTable, but that it doesn't change the database's fundamental tabular setup, and he added that most of the improvements provided by Megastore are already a part of MongoDB.<br /><h3>Google's coding culture</h3>With his blog post, Prasanna was equally critical of Google's coding culture. But, he says, this was a function of the company's size. "The nature of a large company like Google is such that they reward consistent, focused performance in one area. This sounds good on the surface, but if you're a hacker at heart like me, it's really the death knell for your career.<br />"It means that staking out a territory and defending it is far more important than doing what it takes to get a project to its goal," he said. "Engineers who simply staked out one component in the codebase, and rejected patches so they could maintain complete control over design and implementation details had much greater rewards."<br />Prasanna says that he voices these opinions without bitterness. And his post does have a rather even-handed tone. In the past month or two, he says, eight of his colleagues who worked on Google Wave have left the company. Which is hardly surprising. A year after unveiling Google Wave, Google killed development on the project.<br />Lars Rasmussen – who designed the original Google Maps with his brother Jens before running the Google Wave project – has now <a href="http://www.theregister.co.uk/2010/10/31/rasmussen_leaves_google_for_facebook/">defected to Facebook</a>. ® [shamelessly ripped from The Register]<br /><br /><br /><br /></div>Anoreply@blogger.com0http://www.anishshaikh.com/2011/06/google-infrastructure-is-old-and-not-up.htmltag:blogger.com,1999:blog-6814340767212059173.post-53852173608593717522011-06-07T18:42:00.000+05:302011-08-30T17:45:12.944+05:30Mitigation Experience Toolkit (EMET) from Microsoft<div dir="ltr" style="text-align: left;" trbidi="on"><br />The enhanced Mitigation Experience Toolkit (EMET) is designed to help prevent hackers from gaining access to your system.<br /><br />Software vulnerabilities and exploits have become an everyday part of life. Virtually every product has to deal with them and consequently, users are faced with a stream of security updates. For users who get attacked before the latest updates have been applied or who get attacked before an update is even available, the results can be devastating: malware, loss of PII, etc.<br /><br />Security mitigation technologies are designed to make it more difficult for an attacker to exploit vulnerabilities in a given piece of software. EMET allows users to manage these technologies on their system and provides several unique benefits:<br /><br />1. <b>No source code needed</b>: Until now, several of the available mitigations (such as Data Execution Prevention) have required for an application to be manually opted in and recompiled. EMET changes this by allowing a user to opt in applications without recompilation. This is especially handy for deploying mitigations on software that was written before the mitigations were available and when source code is not available.<br /><br />2.<b> Highly configurable</b>: EMET provides a higher degree of granularity by allowing mitigations to be individually applied on a per process basis. There is no need to enable an entire product or suite of applications. This is helpful in situations where a process is not compatible with a particular mitigation technology. When that happens, a user can simply turn that mitigation off for that process.<br /><br />3. <b>Helps harden legacy applications</b>: It’s not uncommon to have a hard dependency on old legacy software that cannot easily be rewritten and needs to be phased out slowly. Unfortunately, this can easily pose a security risk as legacy software is notorious for having security vulnerabilities. While the real solution to this is migrating away from the legacy software, EMET can help manage the risk while this is occurring by making it harder to hackers to exploit vulnerabilities in the legacy software.<br /><br />4. <b>Ease of use:</b> The policy for system wide mitigations can be seen and configured with EMET's graphical user interface. There is no need to locate up and decipher registry keys or run platform dependent utilities. With EMET you can adjust setting with a single consistent interface regardless of the underlying platform.<br /><br />5. <b>Ongoing improvement</b>: EMET is a living tool designed to be updated as new mitigation technologies become available. This provides a chance for users to try out and benefit from cutting edge mitigations. The release cycle for EMET is also not tied to any product. EMET updates can be made dynamically as soon as new mitigations are ready<br /><br />The toolkit includes several pseudo mitigation technologies aimed at disrupting current exploit techniques. These pseudo mitigations are not robust enough to stop future exploit techniques, but can help prevent users from being compromised by many of the exploits currently in use. The mitigations are also designed so that they can be easily updated as attackers start using new exploit techniques. <a href="http://www.microsoft.com/downloads/en/details.aspx?FamilyID=e127dfaf-f8f3-4cd5-8b08-115192c491cb">Get EMET from MS</a><br /></div>Anoreply@blogger.com0http://www.anishshaikh.com/2011/06/mitigation-experience-toolkit-emet-from.htmltag:blogger.com,1999:blog-6814340767212059173.post-20763974483967745912011-05-31T16:39:00.000+05:302011-08-30T17:45:12.971+05:30Windows systems are harder to hack than portrayed?<div dir="ltr" style="text-align: left;" trbidi="on"><br /><span class="Apple-style-span" style="font-family: sans-serif;">I came across this article and I would completely agree with what the author has written.. Windows if&nbsp;hardened&nbsp;and patched properly with some kind of user awareness can reduce the chances of&nbsp;break-ins&nbsp;drastically.&nbsp;</span><br /><div style="font-family: sans-serif;"><br /></div><div style="font-family: sans-serif;">Over the past few weeks, I've been putting together test hacking scenarios for a customer. They wanted to see copies of&nbsp;the RSA attack&nbsp;<span class="print-footnote" style="font-size: xx-small;">[1]</span>,&nbsp;the Google attack&nbsp;<span class="print-footnote" style="font-size: xx-small;">[2]</span>,&nbsp;advanced persistent threat (APT)&nbsp;<span class="print-footnote" style="font-size: xx-small;">[3]</span>&nbsp;simulations, social engineered Trojans, worms, remote buffer overflows, and more. The objective: to test what they could do to prevent all of those assaults on their predominately Microsoft Windows environment.</div><div style="font-family: sans-serif;"><br /></div><div style="font-family: sans-serif;">I put the customer's environment through its paces, and as expected, it was great fun. It certainly beats filling out paperwork and reading security policies. But something unexpected happened along the way, although I shouldn't have been surprised as I am a full-time principal security architect at Microsoft: I found that Windows 7 and other Microsoft programs were significantly harder to hack than most anyone would believe. It was difficult to perform almost any hack without disabling multiple default defenses and ignoring one or more additional warnings. &nbsp;</div><div style="font-family: sans-serif;"></div>Now, many readers will paint me as a shill for Microsoft, but if you don't believe me, try it yourself. Until then, please don't waste my time and yours reading me the Riot Act diatribe. I've walked the walk, and the results were surprising.<br /><br />For example, simulating the RSA and Google attacks only worked if I was using software many years old; neither of them worked if I was using Microsoft software built in the past three to four years. In the RSA attack, employees were sent a spam email claiming to be a recruitment list. It contained an Excel spreadsheet with a link that opened a malicious zero-day Flash file (containing&nbsp;vulnerability CVE 20110609&nbsp;<span class="print-footnote" style="font-size: xx-small;">[7]</span>). The zero-day vulnerability could grant a hacker remote access, and the rest would be history.<br /><br />First, as with the real attack on RSA, all spam emails were caught and placed in spam folders. Thus, employees had to first leap that small hurdle, which they willingly did. When the Excel file was opened in almost any version of Microsoft Office made in the past 10 years, the user was given a warning that the file contains a macro or script and, depending on the version, a link to an external file. The user was warned that the file may contain a malicious item. A user would have to ignore all of that to even give the malware a chance to launch. Microsoft Office 2010 opened the file in its new Protection Mode, which automatically disables the malicious code, by default.<br /><br />In order to get the exploit to work, I had to disable most of the protections that Office gives, or I had to act -- as is very reasonable -- like an employee who ignores multiple warnings on purpose. In nearly every exploit, I had to disable User Account Control (UAC) and Data Execution Prevention (DEP) in Windows, Office, and Internet Explorer. Most of the exploits did not work with Internet Explorer 7 or 8.<br /><br />Even when I disabled all the memory protections, application protections, and so on, warnings continued to pop up. I've always known that a fully patched Windows system was a tough opponent, but I'm here to tell you it's much more resilient than it used to be.<br /><br />It's not just my lack of leet skillz. I worked with several vulnerability testing vendors, and they all grudgingly agreed it's difficult to hack Windows these days.<br />Microsoft's own&nbsp;Security Intelligence reports&nbsp;<span class="print-footnote" style="font-size: xx-small;">[8]</span>&nbsp;say the same thing: The latest versions of Microsoft Windows are harder to hack than their predecessors (see page four of the&nbsp;Key Findings Summary&nbsp;<span class="print-footnote" style="font-size: xx-small;">[9]</span>). To be honest, I never trust those sorts of self-serving statements. But having done the tests myself, I'm a converted believer: The software is getting harder and harder to break.<br /><br />This is not to say that Microsoft software is impossible to hack. Of course not. Further, zero-day exploits are appearing more frequently, and nearly everyone continues to have unpatched software. But it's more obvious than ever that&nbsp;the biggest threat to any environment is the end-user&nbsp;<span class="print-footnote" style="font-size: xx-small;">[10]</span>. Users installing socially engineered Trojans have long been the No. 1 vulnerability in today's computer security policy.<br /><br />Even the&nbsp;Mac Defender scareware problem&nbsp;<span class="print-footnote" style="font-size: xx-small;">[11]</span>&nbsp;affecting Mac users wouldn't be a huge problem if people simply didn't install questionable items. In the course of a given year, a normal installation of OS X will have hundreds of vulnerabilities patched. But none of those matter in this instance.<br /><br />Software and antimalware vendors need to do a better job of preventing users from shooting themselves in the foot. Internet Explorer 9's improved Smartscreen Filter feature is a fantastic step in the right direction, and I assume other browsers have followed suit or will do so in the near future. Smartscreen Filter has an Application Reputation feature that works fairly well. It looks at files being downloaded; for those that are recognized as popular and legitimate, it removes additional warnings (if so configured). If it finds a high-risk application, it warns the user.<br /><br />This is a great service,&nbsp;as Microsoft is detecting&nbsp;<span class="print-footnote" style="font-size: xx-small;">[12]</span>&nbsp;that one in every 14 Internet downloads is malicious. Better yet, 90 percent of users who get a warning from IE9 don't run those high-risk programs. I had to turn off IE9's Smartscreen Filter feature to get any of the exploits to work.<br />The list of computer defenses I had to disable to get a working exploit demo working numbered more than 10, and that, my friends, is progress. [<a href="http://www.infoworld.com/print/162449">infoworld</a>]<br /><br /><br /><br /></div>Anoreply@blogger.com0http://www.anishshaikh.com/2011/05/windows-systems-are-harder-to-hack-than.htmltag:blogger.com,1999:blog-6814340767212059173.post-18914010023363870392011-05-19T15:42:00.000+05:302011-08-30T17:45:12.992+05:30Seven cloud-computing security risks from Gartner<div dir="ltr" style="text-align: left;" trbidi="on"><br />Cloud computing is fraught with security risks, according to analyst firm Gartner. Smart customers will ask tough questions and consider getting a security assessment from a neutral third party before committing to a cloud vendor, Gartner says in a June report titled “Assessing the Security Risks of Cloud Computing.”<br />Cloud computing has “unique attributes that require risk assessment in areas such as data integrity, recovery, and privacy, and an evaluation of legal issues in areas such as e-discovery, regulatory compliance, and auditing,” Gartner says.<br /><br />Amazon’s EC2 service and Google’s Google App Engine are examples of cloud computing, which Gartner defines as a type of computing in which “massively scalable IT-enabled capabilities are delivered ‘as a service’ to external customers using Internet technologies.”<br /><br />Customers must demand transparency, avoiding vendors that refuse to provide detailed information on security programs. Ask questions related to the qualifications of policy makers, architects, coders and operators; risk-control processes and technical mechanisms; and the level of testing that’s been done to verify that service and control processes are functioning as intended, and that vendors can identify unanticipated vulnerabilities.<br /><br />Here are seven of the specific security issues Gartner says customers should raise with vendors before selecting a cloud vendor.<br /><br /><br />1. Privileged user access. Sensitive data processed outside the enterprise brings with it an inherent level of risk, because outsourced services bypass the “physical, logical and personnel controls” IT shops exert over in-house programs. Get as much information as you can about the people who manage your data. “Ask providers to supply specific information on the hiring and oversight of privileged administrators, and the controls over their access,” Gartner says.<br /><br /><br />2. Regulatory compliance. Customers are ultimately responsible for the security and integrity of their own data, even when it is held by a service provider. Traditional service providers are subjected to external audits and security<br />certifications. Cloud computing providers who refuse to undergo this scrutiny are “signaling that customers can only use them for the most trivial functions,” according to Gartner.<br /><br /><br />3. Data location. When you use the cloud, you probably won’t know exactly where your data is hosted. In fact, you might not even know what country it will be stored in. Ask providers if they will commit to storing and processing data in specific jurisdictions, and whether they will make a contractual commitment to obey local privacy requirements on behalf of their customers, Gartner advises.<br /><br /><br />4. Data segregation. Data in the cloud is typically in a shared environment alongside data from other customers. Encryption is effective but isn’t a cure-all. “Find out what is done to segregate data at rest,” Gartner advises. The cloud provider should provide evidence that encryption schemes were designed and tested by experienced specialists. “Encryption accidents can make data totally unusable, and even normal encryption can complicate availability,” Gartner says.<br /><br /><br />5. Recovery. Even if you don’t know where your data is, a cloud provider should tell you what will happen to your data and service in case of a disaster. “Any offering that does not replicate the data and application infrastructure across multiple sites is vulnerable to a total failure,” Gartner says. Ask your provider if it has “the ability to do a complete restoration, and how long it will take.”<br /><br /><br />6. Investigative support. Investigating inappropriate or illegal activity may be impossible in cloud computing, Gartner warns. “Cloud services are especially difficult to investigate, because logging and data for multiple customers may be co-located and may also be spread across an ever-changing set of hosts and data centers. If you cannot get a contractual commitment to support specific forms of investigation, along with evidence that the vendor has already successfully supported such activities, then your only safe assumption is that investigation and discovery requests will be impossible.”<br /><br /><br />7. Long-term viability. Ideally, your cloud computing provider will never go broke or get acquired and swallowed up by a larger company. But you must be sure your data will remain available even after such an event. “Ask potential providers how you would get your data back and if it would be in a format that you could import into a replacement application,” Gartner states. [<a href="http://folk.ntnu.no/oztarman/tdt60/cloud%20computing/3%20Cloud_Computing_Security_Risk.pdf">source</a>]<br /><br /></div>Anoreply@blogger.com0http://www.anishshaikh.com/2011/05/seven-cloud-computing-security-risks.htmltag:blogger.com,1999:blog-6814340767212059173.post-85958194634037000512011-05-18T14:59:00.000+05:302011-08-30T17:45:13.014+05:30The Role of a SIEM in an Overall Enterprise Security - ISC blog<div dir="ltr" style="text-align: left;" trbidi="on"><br /><div class="entry-body"> A good article by&nbsp;Brian Albrecht written on ISC Blog on How SIEM fits in the enterprise security.<br /><br />An overall Enterprise Security plan will be comprised of many different moving pieces. An effective plan will have all of these pieces in place and working together like a fine tuned machine.&nbsp; Managing this plan and taking in all of the data that is presented can be an overwhelming task.&nbsp; Correlating all of this data is tough as well – the potential attack that was picked up by your IDS, was it successful?&nbsp; Was there any suspicious activity soon after, maybe representing a data breach and a success?<br /><br />The inclusion of a SIEM (Security, Information and Event Management) product can be a great addition to an already stout enterprise security infrastructure.&nbsp; A well tuned SIEM product can lend insight into an enterprise’s overall network status – both security related and otherwise.&nbsp;&nbsp; By taking information from varying sources throughout the enterprise, IDS/IPS data, application, firewall, database, etc, and putting this all together.<br />In addition, a SIEM may also benefit an organization’s compliance program as well.&nbsp; A SIEM on its own will not make and organization compliant, however the log management capabilities can go a long way to helping “prove” an organization’s compliance.<br /><br />Now, it cannot be left unsaid that the effectiveness of a SIEM is only as good as the data that is being fed into it.&nbsp; That being said, a SIEM may be an excellent “last piece” to an organization’s overall enterprise security puzzle.<br />Now, for full disclosure, I am currently employed by an SIEM provider…on that note, I have the chance to work with our customers on a daily basis and see the benefits that a SIEM provides first hand. Prior to my current employment, I did not have much experience within the SIEM market. It has been a fascinating experience, working with customers and working with them to discover data and trending that they could not have seen before.&nbsp;</div></div>Anoreply@blogger.com0http://www.anishshaikh.com/2011/05/role-of-siem-in-overall-enterprise.htmltag:blogger.com,1999:blog-6814340767212059173.post-86390583036319938212011-05-17T16:39:00.000+05:302011-08-30T17:45:13.032+05:30Microsoft Security Intelligence Report Volume 10<div dir="ltr" style="text-align: left;" trbidi="on">The Security Intelligence Report (SIR) is an investigation of the current threat landscape. <br />It analyzes exploits, vulnerabilities, and malware based on data from over 600 million systems worldwide, as well as internet services, and three Microsoft Security Centers.Get the <a href="http://www.microsoft.com/security/sir/default.aspx">report</a><br /><br />some of the facts:<br /><br /><br /><ul><li>Exploitation thru Java platform is on significant rise since Q2 2010. The number of exploitation on Java platform far exceed Adobe software and OS&nbsp;platforms.</li><li>Malicious IFrames accounts for a large number of the attacks over HTTP, this likely indicate the effect of hijacked and compromised websites</li><li>Conficker is the most active malware family in Enterprise environment and only 9th in the general Internet environment</li><li>JS/Pornpop is the most active malware family on the general Internet (non-domain joined computer)&nbsp;environment</li><li>On phishing front, the phishing sites targeting social networking are increasing and they are effective in getting themselves presented to victims.</li><li>Overall OS&nbsp;level vulnerability counts is steady and browser vulnerability count is increasing slower, however, it is surprising that application vulnerability count is decreasing since 2008. Maybe the software vendors are actually getting much more secure?&nbsp;</li></ul></div>Anoreply@blogger.com0http://www.anishshaikh.com/2011/05/microsoft-security-intelligence-report.htmltag:blogger.com,1999:blog-6814340767212059173.post-83385549438270296182011-05-17T16:23:00.000+05:302011-08-30T17:45:13.050+05:30Tips for Secure Online Banking<div dir="ltr" style="text-align: left;" trbidi="on"><br />Below are some tips from McAfee blog for secure online banking transactions.<br /><ol><li>Offers via an unknown person or offers that are too good to be true should be suspect. &nbsp;The same goes for offers via tweets and in social media.</li><li>Don’t click the links in emails. Always go to the source. Use your favorites menu or manually type in the address in your web browser with a safe search plug-in.</li><li>Beware of cybersquatting and typosquatting which may look like the domain of the legitimate eTailer.</li><li>Use secure sites. http<strong>s</strong> in the address bar signifies it’s a secure page.</li><li>Beware of eBay scammers. Don’t respond to eBay email offers. Review eBayers history. Established sellers should have great feedback.</li><li>Pay attention to your billing statements. Check them every two weeks online and refute unauthorized charges within 2 billing cycles.</li><li>Don’t use a debit card online. If your debit card is compromised that’s money out of your bank account. Credit cards provide more protection and less liability.</li><li>Avoid paying by check online/mail-order. Credit cards have more protection and less liability.</li><li>Do business with those you know, like and trust. It’s best to buy high ticket items from eTailers that also have a brick and mortar location.</li><li>Secure your PC. Update your critical security patches and anti-virus and only shop from a secured Internet connection.</li></ol></div>Anoreply@blogger.com0http://www.anishshaikh.com/2011/05/tips-for-secure-online-banking.htmltag:blogger.com,1999:blog-6814340767212059173.post-7726857573291850642011-05-17T16:16:00.000+05:302011-08-30T17:45:13.074+05:30QnA on Google Apps.. a good read<div dir="ltr" style="text-align: left;" trbidi="on">Boston-based Bay Cove Human Services is a non-profit organization that offers assistance and service to 4,000 people and families in Massachusetts. CIO Hilary Croach has several technology challenges to contend with. For starters, the agency has its hands in a number of service areas, including helping individuals with developmental disabilities, mental illness, drug and alcohol addiction, and those who need support with aging. With about 140 locations around Eastern Massachusetts, Bay Cove's employees and IT operations are scattered.<br /><br /><br />Because of the expansive nature of his users, Croach decided to take some applications into the cloud with Google Apps for Business. But Bay Cove is subject to a number of regulations, including HIPAA, so the move to the cloud wasn't done without extreme consideration with regard to access control and privacy. Croach recently detailed for CSO why he felt Google Apps tools were the right fit for his agency, and how he handles security in a regulated environment like social services.<br /><br />CSO: How did you first become interested in using Google Apps for Bay Cove?<br />Hilary Croach: We had an email platform we had used for fourteen years. It was a great platform when we first got it. But, in recent years, it became clear it wasn't being updated, it wasn't connecting in with mobile devices, so we couldn't continue with it for our email platform. We looked at Exchange and the idea of hosted solution was on the table. We have about 1600 users. When I looked at Exchange implementation from the ground up, I was talking about a $100,000-capital investment, and that was with the relatively-cheap licensing that Microsoft offers to non-profits. But Google, for non-profits of our size, offers Google Apps for free. That was a huge deal for me.<br /><br />Now, of course using Google Apps means it's not in my data center. And there are concerns about security if it's not in my data center. But we quickly became pretty confident that the email and calendar piece of the Google Apps suite would work as well and be as secure as our previous email system for internal communications - and we were clear that sending an email out of any system is pretty much unsafe unless you have encryption tools and so forth. So we made the move.<br /><br />Did you use everything in the suite?<br />No. When we first moved to Google Apps, all we had turned on was Gmail and Calendar. And it's a better platform than we had before, with better connectivity to mobile devices.<br />When we rolled it out, Google had just given administrators the ability to parse out other pieces. Prior to when we did starting using it, if you wanted to use Google Apps, you had to roll out whole thing. But we were able to just use Gmail and Calendar. And we also rolled out Docs to small group of people. We were using sites for other stuff, like our personnel policies. We were using it as adjunct to our intranet. But more and more people starting coming to me, telling me they really liked the collaborative abilities of Google Docs and they wanted me to turn it on for others.<br /><br />Did you have hesitations about that? How did you handle it?<br />Google Docs, out of the box, is a user-centric collaboration tool. And, one thing to remember, is that most documents, whether Word or Google Docs, don't have protected information in them. When I say protected, I mean by statutes, like the Massachusetts statues or HIPAA. Most are just documents. So this is a wonderfully collaborative tool that can be used, for instance, to write a proposal our staff may be working on to bid on a contract. That document might be private in that we don't want people to see it, but it isn't protected from the point of view of regulation and compliance. Many documents, probably over 90 percent, don't have protected information in them. What a drag to say "We aren't going to let you use it because we are scared you might share something that has protected information in it."<br /><br />On the other hand, we had no visibility; no way of knowing how people were sharing documents. Google is moving more into the enterprise, but the control for the administrators at this point is pretty low, particularly in Google Docs. The ability to share documents is very different from trying to share a Word document that sits on my network. Google Docs has this really scary thing where I can right click on the document and it says "share this with public." That means anyone can access it, even search engines can search it. That can't happen with Word document. Sure, people can print out a Word document and share it or put it on flashdrive. But most breaches in our industry come from inadvertent sharing and Google Docs allows for that in a much greater way. So we decided we didn't want to roll Google Docs.<br /><br />Then I got some push back. So I started looking around the at third-party apps, some of which were administrative tools, to see if there was there anything that could help me with the visibility component. I found CloudLock. Their tool gives me the ability to retrospectively know if something has been shared with the public, to an individual outside my domain, or within my own agency. We are using all three levels of sharing appropriately. They key to being able to use Google Docs is having the visibility on it.<br />You can see what people are doing with the documents, but how do you ensure they are sharing appropriately?<br /><br />To completely prevent inappropriate sharing, I can certainly go into my admin center and indicate no Google Doc can be shared outside my domain. But if I do that, there may be a counselor on my side who wants to share with doctor outside with appropriate consent. If I lock that down, they couldnt do that. Part of it is the visibility and understanding. But just like with my internal documents, I make assumptions staff know and understand polices and will make correct decisions most of the time, I just need to point out to them when they may have accidentally shred.<br /><br />I can do that because the tool gives me high-level dashboard that shows me how many docs I have in my domain, and lets me know how many have been shared publicly, how many have been shared with individuals in my domain, and what has been shared with everyone in my domain. In the case of protected health information, that could be inappropriate. The tool gives me numbers. And I can look at the content and see if it's appropriate or not. If we feel it is inappropriate, we can then change the sharing privileges. The tool also alerts document owners of potential exposures.<br /><br />And you are able to fully comply with privacy regulations using Google Apps tools?<br />Our compliance is part of a much larger strategy. If you look at the new Massachusetts regulations, the technology lockdown is just one part of it. A lot of it is education of staff around what's appropriate, what's not, what's locked down and what's not. It is ongoing education and then giving people tools to make sure they are following procedures.<br /><br /><br />Do you have any suggestions for other organizations who might consider Google Apps?<br />Don't reject it out of hand because it's in the cloud. There is a huge split between cloud fans and those who believe if they can't touch it, it's not secure. The reality is somewhere in the middle. By adding a third-party tool, it gives me more visibility on Google Docs than I have on documents in my network. People think Google is not secure. But I think their security is better than a lot of hospitals have for the data centers. My argument is always this: Don't reject it out of hand. [<a href="http://www.computerworld.com/s/article/9216768/Securing_Google_Apps_A_CIO_Q_A?source=rss_latest_content&amp;utm_source=feedburner&amp;utm_medium=feed&amp;utm_campaign=Feed%3A+computerworld%2Fnews%2Ffeed+%28Latest+from+Computerworld%29&amp;utm_content=Anishshaikh.com">source</a>]<br /></div>Anoreply@blogger.com0http://www.anishshaikh.com/2011/05/qna-on-google-apps-good-read.htmltag:blogger.com,1999:blog-6814340767212059173.post-24346905477918162262011-03-31T20:22:00.000+05:302011-08-30T17:45:13.105+05:30Alerts on credit card transactions - some tweaks from me to RBI<div dir="ltr" style="text-align: left;" trbidi="on"><i><span id="advenueINTEXT" name="advenueINTEXT">The Reserve Bank of India has asked banks to put in place a system for providing online alerts for all card transactions irrespective of amount. Until now banks had to send online alerts to the cardholders for only 'Card Not present' (CNP) transactions which were for the value of Rs 5,000 and above. Taking note of unauthorized or fraudulent withdrawals from ATMs, RBI has said that banks must implement by June 30 a system of instant alerts for all types of transactions irrespective of the amount, involving usage of cards at various channels.<a href="http://timesofindia.indiatimes.com/business/india-business/Now-alerts-for-all-credit-card-payments/articleshow/7821077.cms"> .....</a></span></i><br /><br /><span id="advenueINTEXT" name="advenueINTEXT">&nbsp;What RBI is doing is the right step in the direction to protect the credit card and debit card users. Two suggestion I would like to give RBI is to authenticate every transaction with a PIN number and Also with the card swipe alert/ payment alert, provide the details of the place and phone number of the merchant where the credit card transaction was done. So that incase of fraud transaction the merchant can be called immediately and the culprit can be nabbed quickly time and bearing the cost of fraud by the credit card owner.&nbsp;</span><br /><span id="advenueINTEXT" name="advenueINTEXT"><br /></span><br /><span id="advenueINTEXT" name="advenueINTEXT">Example:&nbsp;</span><br /><span id="advenueINTEXT" name="advenueINTEXT"><br /></span><br /><span id="advenueINTEXT" name="advenueINTEXT">1) Credit Card Owner is currently at home watching World Cup match</span><br /><span id="advenueINTEXT" name="advenueINTEXT">2) As per new RBI rule, Receives an SMS saying 4000 was swiped on Mobile Sales shop.</span><br /><span id="advenueINTEXT" name="advenueINTEXT">3) CC owner panics calls customer care and blocks the card and he is in trouble as he still has to bear the 4000 which was spent.</span><br /><span id="advenueINTEXT" name="advenueINTEXT"><br />As per what i suggest&nbsp;</span><br /><span id="advenueINTEXT" name="advenueINTEXT">1) Firstly Credit card transaction will need a pincode if the person guesses the pin code or knows the pin code he will go ahead and swipe.</span><br /><span id="advenueINTEXT" name="advenueINTEXT">2) </span><span id="advenueINTEXT" name="advenueINTEXT">Credit Card Owner is again at home watching World Cup match</span><br /><span id="advenueINTEXT" name="advenueINTEXT">1) Now if this person would have received an sms that said, 4000 was spend on Mobiles sales shop, bandra ph: 022-1234567890.</span><br /><span id="advenueINTEXT" name="advenueINTEXT">2)The CC owner would have immediately called that merchant and informed that his card is stolen and this is a fraudulant transction.</span><br /><span id="advenueINTEXT" name="advenueINTEXT">3) Shop owner can immediately catch the thief</span><br /><span id="advenueINTEXT" name="advenueINTEXT">4) This will not just help nab the fraudsters, this will even give a peace of mind to the credit card owners as they wont atleast have to bear the bills which were not spent by him.</span><br /><span id="advenueINTEXT" name="advenueINTEXT"><br /></span><br /><span id="advenueINTEXT" name="advenueINTEXT">I hope RBI comes accross this post and implments these suggestions, It would bring a lot of peace of mind to all credit card users.</span><br /><span id="advenueINTEXT" name="advenueINTEXT"><br /></span><br /><span id="advenueINTEXT" name="advenueINTEXT">Cheers All... </span></div>Anoreply@blogger.com0http://www.anishshaikh.com/2011/03/alerts-on-credit-card-transactions-some.htmltag:blogger.com,1999:blog-6814340767212059173.post-23430620656137147512011-03-16T21:01:00.000+05:302011-08-30T17:45:13.130+05:30Analysis of Skunkx DDoS Bot<div dir="ltr" style="text-align: left;" trbidi="on"><span class="Apple-style-span" style="border-collapse: separate; color: black; font-family: 'Times New Roman'; font-size: small; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;"><span class="Apple-style-span" style="color: #666666; font-family: Verdana,Tahoma,Arial,Helvetica,sans-serif; font-size: 11px; line-height: 15px; text-align: left;">Analysis of the Skunkx DDost Bot, some of the capabilities of the bot are listed below.<br /></span></span><br /><span class="Apple-style-span" style="border-collapse: separate; color: black; font-family: 'Times New Roman'; font-size: small; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;"><span class="Apple-style-span" style="color: #666666; font-family: Verdana,Tahoma,Arial,Helvetica,sans-serif; font-size: 11px; line-height: 15px; text-align: left;">The bot’s capabilities include:<br /><ul><li>Perform DDoS attacks: UDP floods, SYN floods, HTTP floods, and Slowloris attacks</li><li>Detect some analyst tools (Commview, TCPView, and Wireshark) and platforms (QEMU, VMWare, VirtualPC)</li><li>Spread over USB, MSN, YahooMessenger</li><li>“Visit” sites, speedtest</li><li>Download and install, update, and remove arbitrary software</li><li>Detect and stop DDoSer, Blackshades, Metus and IRC bots on the box; it apparently can speak “DDoSer” too</li><li>Spread as a torrent file</li><li>Steal logins stored in the SQLite DB by Mozilla</li></ul><br />Full Analysis by Jose can be found at <a href="http://asert.arbornetworks.com/2011/03/skunkx-ddos-bot-analysis/">arbor</a> </span></span></div>Anoreply@blogger.com0http://www.anishshaikh.com/2011/03/analysis-of-skunkx-ddos-bot.htmltag:blogger.com,1999:blog-6814340767212059173.post-68889548473861392862011-03-16T20:56:00.000+05:302011-08-30T17:45:13.157+05:30Protecting Your IT Environment from Insider Attacks<div dir="ltr" style="text-align: left;" trbidi="on">I came across this intresting article written by Deb Shinder on Windows Security.com about protecting your environment from insider attacks.<br /><br /><span class="Apple-style-span" style="border-collapse: separate; color: black; font-family: 'Times New Roman'; font-size: small; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;"><span class="Apple-style-span" style="font-size: 13px;"><h2 style="clear: both;">Introduction</h2>According to a recent report from MSNBC.com, the 2011 CyberSecurity Watch Survey conducted by CSO Magazine uncovered that more attacks (58%) are caused by outsiders&nbsp;than insiders (21%); however 33% view the insider attacks to be more costly, compared to 25% in 2010. Perhaps the most interesting tidbit was that insider attacks are becoming more sophisticated, with a growing number of insiders (22%) using rootkits or hacker tools compared to 9% in 2010, as these tools are increasingly automated and readily available. In this article, we'll look at how you can&nbsp;protect your network from&nbsp;these increasingly sophisticated insider attacks.<br /><h2 style="clear: both;">Why insider attacks are more dangerous</h2>Insider attacks are, by definition, conducted by people who have legitimate access to your network and systems. They may be disgruntled employees with a grudge against the company, money-motivated workers who use the system to steal from the company, contractors doing work for you on a temporary basis who are there to engage in corporate espionage, or anyone else who abuses his/her privileges on your network to use it in an unauthorized way. Some attackers are infiltrators who get a job at the company for the express purpose of penetrating its security. Some insiders may be threatened, coerced or bribed by outsiders to steal company information or plant a virus or malware that will bring down or disrupt the network.<br />Some scenarios include:<br /><ul type="disc"><li>Deliberately infecting the company computers and network with malware or viruses that disrupt work and result in lost productivity</li><li>Introducing spyware, key loggers and similar software to get information about what co-workers or others within the company are doing</li><li>Stealing passwords to log on to the company network under the guise of someone else, in effect stealing the co-worker’s identity</li><li>Copying confidential company information to take or send outside the company without authorization</li></ul><h2 style="clear: both;">Why most company security strategies focus on outsiders</h2>If insider attacks are costing companies more, why is it that most security policies and strategies seem to focus on protecting the network from outside threats? There are a number of reasons. Traditionally, network security has been “all about the edge.” The foundation of network security has been the network firewall – a “guard at the gate” positioned between the computers (and users) on the internal network and the potentially malicious “unknowns” outside. The problem with this model is that it makes a big and sometimes invalid assumption, which is that all of the users inside can be trusted. It’s not surprising that companies have made that assumption. It’s natural human nature to not want to consider the possibility that “your” people might betray you. However, this can be a fatal mistake.<br />Perhaps the primary reason is because it’s simply more difficult to defend against insiders. Company employees often need access to sensitive information to do their jobs, rendering it vulnerable to theft. They have legitimate credentials to log onto the network, making it easier for them to exploit any security holes to disrupt network services. Some folks argue that it can’t be done at all. They make a good point: If you give someone the keys to the kingdom, it’s going to be extremely difficult to prevent him from misusing them if he really wants to. Nonetheless, there<span class="Apple-converted-space">&nbsp;</span><i>are<span class="Apple-converted-space">&nbsp;</span></i>steps that you can take to make it more difficult for insiders to do extensive damage.<br /><h2 style="clear: both;">Developing a security strategy to protect against insider attacks</h2><div style="text-align: center;"><h3 style="clear: both; color: #999999; font-size: 10px; font-weight: normal; letter-spacing: 1px; margin: 0px;">advertisement</h3></div>Just as retail establishments have in place loss prevention programs to keep employees from stealing merchandise or cash, businesses that deal with important electronic data (which includes the vast majority of them these days) need to think in terms of<span class="Apple-converted-space">&nbsp;</span><i>data loss prevention (DLP)<span class="Apple-converted-space">&nbsp;</span></i>programs. There are a number of DLP technologies available from various vendors, but a comprehensive strategy goes further than just buying a DLP appliance and plugging it in.<br />You might never be able to completely eliminate the risk of insider attacks, but here are some of the things you can do to reduce the incidence and the impact:<br /><ul><li><b>Implement a dedicated DLP appliance or software.<span class="Apple-converted-space">&nbsp;</span></b>DLP appliances or software allow you to track the travel of your company’s data, either in real time or by collecting information and summarizing it in daily or weekly reports. You’ll want a DLP system that can intercept and read SSL or other encrypted messages, or users will be able to defeat its purpose simply by encrypting the data they send outside the network. Note that a drawback of DLP is that it may negatively impact network performance.</li><li><b>Configure your firewall to address traffic going both ways.<span class="Apple-converted-space">&nbsp;</span></b>Most modern firewalls are capable of filtering both inbound and outbound traffic, but many are configured to only control the former. Set up outbound rules on your firewall to explicitly block or explicitly allow the network traffic that matches the criteria you set. For example, you could block outbound traffic that uses a specific port number.</li><li><b>Use packet inspection within the network.<span class="Apple-converted-space">&nbsp;</span></b>DLP appliances and firewalls focus on traffic being sent outside the network. You can use packet inspection tools such as Network Analysis and Visibility (NAV) products to inspect the contents of packets moving within the internal network, for example when a user downloads a file from the server to his computer that he shouldn’t have access to or doesn’t need to do his work. NAV tools can examine the contents in great depth and look for particular words or types of data (such as social security numbers or account numbers) within a document or file. NAV has the same problem as DLP in that it can slow down network performance.</li><li><b>Use mail security products with content filtering.<span class="Apple-converted-space">&nbsp;</span></b>You can use the content filtering feature on your email security products to, for example, block outbound messages that contain certain keywords, or block users from sending attachments, to prevent insiders from sending confidential information outside the network.</li><li><b>Data encryption.<span class="Apple-converted-space">&nbsp;</span></b>Encrypting sensitive data will make it more difficult for those inside the network (as well as outsiders) to be able to access and read the information even if they do manage to intercept it and take it outside.</li><li><b>Least privilege policy.<span class="Apple-converted-space">&nbsp;</span></b>For best security and protection against insider threats, always follow a policy of giving users the most restrictive set of privileges that will still allow them to do the work they need to do. Apply this same policy when configuring your DLP product or your firewall’s outbound rules, by starting off by blocking everything and then allowing those things that are needed, rather than the opposite method of starting off by allowing everything and then restricting things selectively. Likewise, the keys to access encrypted data should be available only to those whose jobs require that they access that data, and not to all employees or all employees who happen to work in a specific department or hold a particular position.</li><li><b>File access auditing.<span class="Apple-converted-space">&nbsp;</span></b>Implementing auditing of access to file system objects will help you detect when insiders are accessing information for which they don’t have a need in order to do their jobs.</li><li><b>Area of responsibility or segregation of duties.<span class="Apple-converted-space">&nbsp;</span></b>This is a policy that ensures that no one person can process an important transaction (such as transfer of monetary funds) alone. One person may be able to initiate the process but it can’t be completed without the authorization of one or more other individuals. This provides a set of checks and balances to protect against a lone rogue employee or infiltrator.</li><li><b>Control USB devices.<span class="Apple-converted-space">&nbsp;</span></b>DLP, firewalls, and mail content filtering will help prevent insiders from sending sensitive company information outside the network via the Internet. However, removable USB drives, especially easily concealed “thumb drives” (flash memory drives), are often used by insiders to copy sensitive company information and manually carry it outside the company. To prevent this, you can disable USB ports on systems of those who don’t absolutely need them. You can use Windows Group Policy or third party software to restrict or block the installation of USB devices. Software such as GFI Endpoint Security can be used to manage user access and log the activities of USB drives, flash memory cards, CDs, floppy disks, iPods and other MP3 players, smart phones and PDAs and anything else that connects to computers via USB.</li><li><b>Rights management services.<span class="Apple-converted-space">&nbsp;</span></b>Rights management allows you to give users access to data, but helps prevent them from sharing that data with others who aren’t authorized to have it. Windows Rights Management Services (RMS) allows you to block copying or printing of documents, block forwarding or copying of email messages, and so forth. Windows also blocks taking a screenshot of protected documents or messages. While there are always ways around this for a determined person (for example, the user could take a photo of the screen with a cell phone camera), it makes it more difficult for insiders to misappropriate the protected information.</li><li><b>Change management.<span class="Apple-converted-space">&nbsp;</span></b>Configuration and Change Management tools help you to identify when changes are made to the configurations of systems that may be done by employees to gain access to information they shouldn’t have. There are many products on the market that can be used to track changes on the network.</li><li><b>Identity management.<span class="Apple-converted-space">&nbsp;</span></b>Because access privileges are granted based on the identity of the user, it is imperative that you have in place a good identity management system. This becomes even more important in today’s network environment, where company mergers and the moving of some or all data into the cloud complicates things even more.</li></ul>These are just some of the basic steps that you should take to protect against insider threats.<br /><br />The Original article can be found at <a href="http://www.windowsecurity.com/articles/Protecting-Against-Insider-Attacks-Todays-Network-Environments.html?printversion">Windows Security website</a></span></span></div>Anoreply@blogger.com0http://www.anishshaikh.com/2011/03/protecting-your-it-environment-from.htmltag:blogger.com,1999:blog-6814340767212059173.post-68219038598520798822011-02-15T14:34:00.000+05:302011-08-30T17:45:13.183+05:30Database Firewall from Oracle - Block SQL Injection on Oracle MSSQL DB2<div dir="ltr" style="text-align: left;" trbidi="on"><br /><div class="KonaBody" id="post"> <div class="content">Oracle has released its first database firewall designed to protect valuable systems from attack and disruption.<br />The Oracle Database Firewall has been developed using technology acquired from its purchase of Secerno last year. It allows real-time monitoring of intrusions, SQL attacks and any attempt to misallocate access privileges.</div><div class="detailMpu"> <!--h2>Advertisement</h2--><!--new ads format--><div><script></script><script></script> <noscript><a href="http://ad.uk.doubleclick.net/jump/vnu2.uk/news/security/enterprise-security-technology/;page=article;artid=2274770;topcat=security;cat=enterprise-security-technology;tag=software;sect=news;pos=mpu1;tile=3;dcopt=;sz=200x200,300x250,336x280;gs_cat=%22+gs_channels+%22;ord=5412274992?" target="_blank"><img alt="" border="0" src="http://ad.uk.doubleclick.net/ad/vnu2.uk/news/security/enterprise-security-technology/;page=article;artid=2274770;topcat=security;cat=enterprise-security-technology;tag=software;sect=news;pos=mpu1;tile=3;dcopt=;sz=200x200,300x250,336x280;gs_cat=%22+gs_channels+%22;ord=5412274992?" /></a></noscript></div></div><div class="content">"Evolving threats to databases require enterprises to look at new security solutions,” said Vipin Samar, vice president of database security at Oracle. <br />“Oracle Database Firewall offers organizations a first line of defense that can stop internal and external attacks from reaching databases. Easy to deploy and manage, Oracle Database Firewall helps reduce the costs and complexity of securing data across the enterprise without requiring any changes to existing applications and databases.”<br />The firewall uses a technology Oracle calls SQL grammar analysis to detect attacks on the database by monitoring and classifying millions of SQL statements and looking for abnormal behavior. The system also uses both blacklists and whitelists to minimise threats.<br />“It's an extremely crowed market; it's filled with vendors with more experience in this market than Oracle,” Charles King, principle analyst for Pund-IT told V3.co.uk.</div><div class="content">“This is emblematic of the type of control Oracle is trying to extend. If you're a dedicated Oracle solution user then getting all your kit from one source can make sense but not for most people.”<br />The firewall works with Oracle Database 11g and below, IBM DB2 for Linux, Unix and Windows, Microsoft SQL Server 2000, 2005 and 2008 and Sybase.</div></div><div style="background-color: transparent; border: medium none; color: black; overflow: hidden; text-align: left; text-decoration: none;"><br />Read more: http://www.v3.co.uk/v3/news/2274770/oracle-database-firewall#ixzz1E15NjFjj </div></div>Anoreply@blogger.com0http://www.anishshaikh.com/2011/02/database-firewall-from-oracle-block-sql.htmltag:blogger.com,1999:blog-6814340767212059173.post-20916569383606132432011-01-05T22:53:00.000+05:302011-08-30T17:45:13.206+05:30How to set up a pentesting lab - Rapid7 Article..A must read article from Rapid7 Blog on how to setup a pentest lab.<br /><br />http://blog.rapid7.com/?p=5791Anoreply@blogger.com0http://www.anishshaikh.com/2011/01/how-to-set-up-pentesting-lab-rapid7.html